Security/Meetings/2011-06-29
From MozillaWiki
Contents
DNSSEC update
- David Keeler is currently experimenting with standalone programs that verify DNSSEC chains.
- For more information, see https://wiki.mozilla.org/Security/DNSSEC-TLS.
- Let's turn this page into a feature page (or additionally make a feature page).
Reminders
- Book your flights for Black Hat, and change your hotel reservation if needed.
- You can ask for an Android device: a phone (without service) or a tablet. File an IT request, CCing Lucas.
- If you could use it as your primary mobile device (filing bugs as you run into them), you should probably ask for one.
- If you would develop on it, you should definitely ask for one.
- Asking for a tablet (rather than a phone) is fair game, since a tablet costs about the same as an unsubsidized phone, and our policy allows you to get phones unsubsidized.
Q3 goals
We've been asked to come up with a list of three goals.
Comments about picking goals
- most important
- most impactful
- support the wider goals
- forward looking, as opposed to catch-up and "stuff we'd be doing anyway"
Comments about writing goals
- [Curtis] Goals should IMO follow the SMART format (Specific, Measurable, Achievable, Results Oriented, Time bound), for the final format, once we decide what we want
- The last merge date of the quarter is 2011-09-27 (Firefox 9 -> mozilla-aurora; Firefox 8 -> mozilla-beta; Firefox 7 -> mozilla-release)
Nominations
- [Jesse] Root cause analysis of some security bugs in two components.
- Recommend how to reduce security holes in those components
- Recommend rules of thumb for when/how to do RCA.
- Recommend a process for how we can build RCA into our life cycle: do it for every sg:crit as it comes in, or for every component occasionally.
- JS is very likely. DOM and Layout are good candidates.
- Does anything on Security/Roadmap rise to the level of a team goal?
- XSS filter
- DNSSEC (perhaps just the CA-lock part, in nightly)
- Mixed content (good timing wrt chrome)
- Click-to-play plugins
- iframe sandbox (good timing wrt ie) (plugin questions)
- Let us choose later: "Get a P1 or P2 security-roadmap feature added in Nightly"
- [bsmith] Write recommendations for web app security, especially for apps that were formerly native apps.
- So we know what security features the web platform are missing (e.g. crypto, logout, iframe sandbox, link fingerprints)
- Is this something we'd do jointly with infrasec or webdev?
- [Curtis] All major features complete a security discussion before landing in Aurora for FX 7,8,9
- [imelven] ARM fuzzing
- But we barely have regression testing working on ARM, and fixing that doesn't really seem like a job for the security team. They are currently working to improve this situation.
- [Lucas] Embed into the following teams: ... (identity: Sid/Curtis) (webapps: bsterne)
- [Jesse] Remove barriers to https (DNSSEC, no-cache, cache defaults)
- The perf parts are already a Networking Team goal :)
Winners
- XSS filter on mozilla-central in time for 9 Aurora (2011-09-27).
- Root cause analysis of enough bugs in two components to come up with recommendations for how to include RCA in our security lifecycle.
Homework
- Improve wording for goals
- Debate third goal over email?