Closed
Bug 739699
Opened 12 years ago
Closed 12 years ago
Change receipt to store user hash not the email
Categories
(addons.mozilla.org Graveyard :: Code Quality, defect)
addons.mozilla.org Graveyard
Code Quality
Tracking
(Not tracked)
RESOLVED
FIXED
6.5.0
People
(Reporter: andy+bugzilla, Assigned: andy+bugzilla)
References
Details
Currently we store the email in the receipt and in the Installed model. Let's change that to storing a hash as specified in https://wiki.mozilla.org/Apps/WebApplicationReceipt#the_user_field
Assignee | ||
Comment 1•12 years ago
|
||
Part of the process of validating a receipt on the client is to check the user field against browserid. Do we still plan on doing that, it feels like this would break it unless we can let browserid know about the hash.
Comment 2•12 years ago
|
||
No, the identity verification is now not part of the receipt verification.
Assignee | ||
Comment 3•12 years ago
|
||
Sold.
Comment 4•12 years ago
|
||
Does this mean we won't have any built-in protection against people sharing receipts?
Comment 5•12 years ago
|
||
(In reply to Ian Bicking (:ianb) from comment #4) > Does this mean we won't have any built-in protection against people sharing > receipts? The conclusion we came to is that we don't have meaningful built-in protection to begin with, e.g. shared accounts, shared assertions, etc. Once you're copying receipts around, generating shared assertions for bogus shared identities is not that much harder. So the privacy leak of revealing the user's identity by default doesn't seem worth it :)
Assignee | ||
Comment 6•12 years ago
|
||
https://github.com/mozilla/zamboni/commit/31bb4e
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•