Closed
Bug 831430
Opened 11 years ago
Closed 11 years ago
Security questions about Bango header auth and cc payments
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
2013-02-07
People
(Reporter: kumar, Assigned: steve)
References
Details
(Whiteboard: u=mkt p=1)
We'd like to get answers to the following questions from Bango and/or Telefonica: https://etherpad.mozilla.org/20mJlfcI9O This will help us understand what kind of threats are possible for spoofing payments when Marketplace hands it off to Bango.
Reporter | ||
Updated•11 years ago
|
Blocks: marketplace-payments
Priority: -- → P1
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → sruston
Comment 1•11 years ago
|
||
I've replied to the questions in the etherpad. Our infosec team might have some additional feedback, if so I'll update the etherpad again.
Comment 2•11 years ago
|
||
Kumar sounded happy with this in the email. Is there more to do?
Whiteboard: u=mkt p=
Target Milestone: --- → 2013-01-24
Comment 3•11 years ago
|
||
I have asked for clarification in the etherpad.
Updated•11 years ago
|
Target Milestone: 2013-01-24 → 2013-02-07
Version: 1.0 → 1.1
Updated•11 years ago
|
Whiteboard: u=mkt p= → u=mkt p=1
Assignee | ||
Comment 4•11 years ago
|
||
David, can you provide the link to where we can find the Header flow on your Redmine site and the relevant access credentials
Assignee: sruston → dll
Comment 5•11 years ago
|
||
https://bvpartner.tid.es/redmine/projects/bangoowd/wiki/APIs-Mobile_ID user: sruston@mozilla.com pass: you will receive it by email
Comment 6•11 years ago
|
||
To address the security questions: we ONLY accept requests coming with MSISDNs in headers as long as they come from a preconfigured list of source IP addresses that we also use to know the origin operator. Of course, we also check the format of the http header we receive from the operator (that info is not public, but it does not include signatures).
Assignee | ||
Updated•11 years ago
|
Assignee: dll → rforbes
Assignee | ||
Comment 7•11 years ago
|
||
Ray, can you confirm the info on the BV wiki covers what you need?
Assignee | ||
Comment 8•11 years ago
|
||
David, can we take the header information from your Wiki and put it on our public wiki?
Assignee: rforbes → dll
Updated•11 years ago
|
Version: 1.1 → 1.2
Assignee | ||
Updated•11 years ago
|
Assignee: dll → sruston
Reporter | ||
Comment 9•11 years ago
|
||
David answered this on the call: it is not public information so we need to store it privately in mana or somewhere.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•