Closed
Bug 742751
Opened 13 years ago
Closed 13 years ago
Encrypt in-app payment secrets
Categories
(addons.mozilla.org Graveyard :: API, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
6.5.2
People
(Reporter: kumar, Assigned: kumar)
References
Details
+++ This bug was initially created as a clone of Bug #736573 +++ For an app to talk securely to the marketplace it needs to encrypt all requests with its secret (provided on sign-up in bug 703093) Instead of storing plain text secrets in the database we can store an encrypted secret in the database using a secure key. The marketplace app will have two main parts: - when a secret is generated on the management pages, encrypt/decrypt using a key file - when an app makes a payment request, decrypt its secret to verify the request Some concerns: - the key will need to be stored in a vault away from the db - we need a way to rotate the key easily For reference: http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_aes-decrypt
Comment 1•13 years ago
|
||
Is this really a blocker? I thought we decided we weren't going to do this. Or was that just off the HSM?
Assignee: nobody → kumar.mcmillan
Comment 2•13 years ago
|
||
AFAIK, we do still need to encrypt them, but we don't need to use the HSM to do it.
Assignee | ||
Comment 3•13 years ago
|
||
last I heard, security said encryption was a blocker. rforbes, is that still correct? Otherwise we're storing plaintext payment secrets in the db.
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → 6.5.1
Assignee | ||
Updated•13 years ago
|
Target Milestone: 6.5.1 → 6.5.2
Assignee | ||
Comment 4•13 years ago
|
||
This has been fixed: https://github.com/mozilla/zamboni/commit/32883fe58a89b3f429a0512fd1f9ea50c4e33c66 To deploy this we need: python manage.py genkey which will create a key file. The path to that file needs to be set in INAPP_KEY_PATH. I'll add these to our deploy notes.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•