On Apr 17, 2013, at 7:04 PM, Brian Smith <
bsm...@mozilla.com> wrote:
>>
>
> I see. Seems like we could look to AWS, PayPal, Google Checkout, etc. to see how they deal with these issues.
Google Wallet is nearly an identical system. I can't tell for sure but I think they do require HTTPS for postbacks:
https://support.google.com/payments/answer/1385297?hl=en
>
> If there is a replay, does the user lose money or does the developer lose something?
Only the developer loses. A customer could use a replay attack to turn a legitimate purchase of 1 unicorn into 1000 unicorns at no extra charge (until the JWT expires) if the app does not prevent replays.
> If it isn't possible to take money from the user without the user's consent then I think it seems OK to not require SSL if the developer is willing to take that risk,
I can't think of how a user can lose money with a replay because postbacks do not affect how money is charged to the customer. All that happens over HTTPS either on Mozilla's servers or Bango's servers.
> as long as no personally-identifiable information is being sent over an insecure channel.
Correct. No personal info is in a JWT. It defines the product for sale, the price, description, and so on. Example:
https://developer.mozilla.org/en-US/docs/Apps/Publishing/In-app_payments#Set_up_your_server_to_sign_JWTs
Handling user identity is out of scope for mozPay(). The way Marketplace does it is pass a custom transaction ID through the JWT that it can later reconcile with a user ID.
> And, if it is possible for a replay to cost the user money without the user's consent then that seems like a more general and more serious problem, as the amount of money the user spends shouldn't depend on how well the app defends against replays.
Anything the app does wrong would only cause the developer to lose money or make the customer unhappy. The app can do a lot of things wrong:
- it can choose not to wait for postback notices at all
- it can choose not to verify JWT signatures
- it can fail to ensure a transaction ID gets processed only once (replay attack)
- it can take someone's money and not deliver the goods
The documentation will hopefully make these risks clear. Mozilla will also notify developers when it encounters errors (like postback failures) and we may disable payment keys after a certain number of failures, complaints, etc.
>
> Cheers,
> Brian