740830 - Secreview: In App Payment - AppSecret revocation/replacement

Status: RESOLVED FIXED

(mozilla.org :: Security Assurance, task)

Description

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

what do app servers do in case of AppSecret compromise? need revocation/replacement mechanism (write up for MDN) 

this bug blocks market rollout

Comment 1

[krupa raj[:krupa]]

Making this bug p1 for April 26th launch. Feel free to demote the bug if that's not the case.

Comment 2

[Wil Clouser [:clouserw]]

What's the status of this bug?  Does it still block?

Comment 3

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

Yes, per the security review this is a blocker for rolling out the marketplace.

Comment 4

[Wil Clouser [:clouserw]]

Where is the plan/eta?  next steps?  Are you talking about blocking the final launch or an intermediate launch?

Comment 5

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

the plan or eta should be coming from Mark (assignee) and this would block final launch.

Comment 6

[Mark Giffin [:markg]]

I do not have enough info on this to write it. Can someone give me some raw info to use for my MDN write-up on this?

Comment 7

[Mark Giffin [:markg]]

I have added info on how to handle a compromised app secret to MDN here:
https://developer.mozilla.org/en/Apps/In-app_payments#section_5

I can't tell if this bug is docs only, or if it also requires code from someone else. So I did not change its status to RESOLVED.

Comment 8

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

CC :rforbes as he was the lead on this bug is not on this bug

Comment 9

[Kumar McMillan [:kumar]]

There is a current process in place where app developers can revoke a compromised secret in a timely manner. Mark has documented this so I'm closing the bug. Take note that there will be an optimized UI flow for this in bug 738368 but that's just an enhancement.