bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Security questions about Bango header auth and cc payments

RESOLVED FIXED in 2013-02-07

Status

Marketplace
Payments/Refunds
P1
normal
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: kumar, Assigned: Steve Ruston)

Tracking

2013-02-07
x86
Mac OS X
Points:
---

Details

(Whiteboard: u=mkt p=1)

We'd like to get answers to the following questions from Bango and/or Telefonica:
https://etherpad.mozilla.org/20mJlfcI9O

This will help us understand what kind of threats are possible for spoofing payments when Marketplace hands it off to Bango.
Blocks: 775802
Priority: -- → P1
Assignee: nobody → sruston

Comment 1

6 years ago
I've replied to the questions in the etherpad. Our infosec team might have some additional feedback, if so I'll update the etherpad again.
Kumar sounded happy with this in the email.  Is there more to do?
Whiteboard: u=mkt p=
Target Milestone: --- → 2013-01-24
I have asked for clarification in the etherpad.
Target Milestone: 2013-01-24 → 2013-02-07
Version: 1.0 → 1.1
Whiteboard: u=mkt p= → u=mkt p=1
(Assignee)

Comment 4

6 years ago
David, can you provide the link to where we can find the Header flow on your Redmine site and the relevant access credentials
Assignee: sruston → dll

Comment 6

6 years ago
To address the security questions: we ONLY accept requests coming with MSISDNs in headers as long as they come from a preconfigured list of source IP addresses that we also use to know the origin operator. Of course, we also check the format of the http header we receive from the operator (that info is not public, but it does not include signatures).
(Assignee)

Updated

6 years ago
Assignee: dll → rforbes
(Assignee)

Comment 7

6 years ago
Ray, can you confirm the info on the BV wiki covers what you need?
(Assignee)

Comment 8

6 years ago
David, can we take the header information from your Wiki and put it on our public wiki?
Assignee: rforbes → dll

Updated

6 years ago
Version: 1.1 → 1.2
(Assignee)

Updated

6 years ago
Assignee: dll → sruston
David answered this on the call: it is not public information so we need to store it privately in mana or somewhere.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.