Processing payments for the paranoid¶
By Andy McKay
- Works at Mozilla
- Presented barefoot
The Mozilla Marketplace is the app store for Firefox OS and this Django powered site takes payments from users.
Combined with issues like localisation, identity and scale - we are processing payments through Django. This talk will cover the marketplace, the architecture of the system and how we cope with all the paranoia.
Who should be paranoid?¶
Everyone should be paranoid:
- Powered by Django
- Don’t call it an “app store”
- accepts payments
- Powered by open source project ‘zamboni’
Report bugs to Mozilla via their reporting system and they’ll pay you.
Steps for purchase¶
- Set up your account with Mozilla
- Purchase and use an app
- Mozilla bills your carrier
All powered by Solitude: https://github.com/mozilla/solitude
Vulnerabilities they had to consider¶
- careful ORM evaluation
Many penetrations happen internally, not from technical assaults from outside.
Wrote anonymizing code
Inside the DB:
- removed personally identifying information
- encrypted other data
Defended by depth
- SSL certs are not handled well by Python’s URLLIB
- Requests does it well
- wrote django-paranoia to help track security things
Includes something called paranoid_forms. Logs when people try to add or subtract keys to forms.
includes a special sessions component for Django. Logs when:
- user agent changes
- IP Address changes
Just noticed that @andymckay is presenting barefoot at @djangocon @djangofact #djangocon