Last Comment Bug 862588 - No longer require apps to use HTTPS for in-app payments
: No longer require apps to use HTTPS for in-app payments
Status: RESOLVED FIXED
[qa-]
:
Product: Marketplace
Classification: Server Software
Component: Payments/Refunds (show other bugs)
: 1.2
: All All
: P3 normal (vote)
: 2013-08-13
Assigned To: Kumar McMillan [:kumar] (needinfo all the things)
:
:
Mentors:
Depends on:
Blocks: marketplace-payments
  Show dependency treegraph
 
Reported: 2013-04-16 15:55 PDT by Kumar McMillan [:kumar] (needinfo all the things)
Modified: 2013-08-09 05:35 PDT (History)
6 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Kumar McMillan [:kumar] (needinfo all the things) 2013-04-16 15:55:17 PDT
To make a developer's life easier, no longer require HTTPS for in-app payments. See this thread for rationale: https://groups.google.com/d/msg/mozilla.dev.webapps/4cSWLJ-3Ahs/L5C5gjFUqikJ

Summary:
- SSL certs can be bought cheaply in the US/Europe
- However, certs might be prohibitively expensive in some economies (like emerging markets)
- SSL is *not* required to make in-app payments secure
- SSL will probably make replay attacks harder if the app is susceptible to such

As part of this feature, let's add these things to the docs:
- a big red warning urging developers to use HTTPS if possible
- an explanation of replay attacks and how to protect an app against replays
Comment 1 Jason Smith [:jsmith] 2013-04-17 00:50:05 PDT
Okay, I'm confused. Is the work in this bug client-side in the mozPay level, gaia system level, and/or marketplace level?
Comment 2 Kumar McMillan [:kumar] (needinfo all the things) 2013-04-17 13:50:48 PDT
It's entirely at the marketplace level; it does not impact the client in any way. Is it ok to block bug 775802 for our tracking purposes?
Comment 3 Jason Smith [:jsmith] 2013-04-17 14:00:22 PDT
(In reply to Kumar McMillan [:kumar] from comment #2)
> It's entirely at the marketplace level; it does not impact the client in any
> way. Is it ok to block bug 775802 for our tracking purposes?

Yes, that makes sense.
Comment 4 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2013-05-16 21:07:35 PDT
I think it is important to note in the implementation of this that no PII is allowed to be sent over a non-HTTPS connection, which means that in general the marketplace <-> app developer server communication cannot contain PII.
Comment 5 Kumar McMillan [:kumar] (needinfo all the things) 2013-05-17 09:00:00 PDT
what is PII?
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2013-05-17 10:16:50 PDT
(In reply to Kumar McMillan [:kumar] from comment #5)
> what is PII?

Personally identifiable information: people's names, email addresses, social security numbers, addresses, phone numbers, other unique identifiers mapped to a person.
Comment 7 Kumar McMillan [:kumar] (needinfo all the things) 2013-05-17 10:55:18 PDT
Ah, good point. Mozilla would never send this information but a developer might transmit this information unknowningly in the productData JWT field. I'll add a warning in the docs to urge developers not to send PII.
Comment 8 Kumar McMillan [:kumar] (needinfo all the things) 2013-08-07 13:08:02 PDT
This fix has landed: https://github.com/mozilla/webpay/commit/638d50138cc42d951f615c83a146bce103c8c8bb

The documentation has a scary callout about the risks of using HTTP postbacks: https://developer.mozilla.org/en-US/docs/Web/Apps/Publishing/In-app_payments#Use_HTTPS_postback.2Fchargeback_URLs
Comment 9 Iulian Timis 2013-08-08 08:28:00 PDT
Please add STR here or mark it with [qa-] if no QA is needed.
Comment 10 Kumar McMillan [:kumar] (needinfo all the things) 2013-08-08 09:58:42 PDT
STR would be:
- set up an app to do in-app payments per https://developer.mozilla.org/en-US/docs/Web/Apps/Publishing/In-app_payments
- configure the app with an HTTP postback
- make a non-simulated payment which means setting up a fake bank account in dev/stage

These steps are non-trivial so if you want to make it as [qa-] then I'll leave it up to you.

Here's an example app that you could work from: https://github.com/kumar303/inapp-pay-test
Comment 11 Iulian Timis 2013-08-09 05:35:01 PDT
I'm not sure how to make a non-simulated payment using the app you provided. I'll mark it as [qa-]

Note You need to log in before you can comment on or make changes to this bug.