Security/Meetings/2011-07-20

Prioritizing security features

• Concern that we're falling behind Chrome and even IE on some security features
  • See Brandon's email to security-group (private list) for details on the concern
  • Fixing and blogging would be good PR in addition to protecting users and sites
• "EverythingElseSmash": prioritization & getting help from the platform team
• Brandon & Ian will be triaging the long list of sg:low and sg:want bugs next week
• Should also ensure we have bugs on the security features that the Chrome & IE teams have been blogging about.
• Grouping a set of related bugs into a project / feature page / metabug can help get people interested

Security roadmap changes

• https://spartiates.wordpress.com/2011/07/19/security-feature-pages/
• Most of the roadmap is now automatically generated from feature pages
• Feature pages can be on multiple roadmaps now ("secondary roadmap" in wikimedia)

Black Hat

• [chofmann] Hotel updates
  • Caesars extensions (e.g. for people staying for DEFCON) done
  • Caesars out of rooms, so late signups will be staying somewhere else (Flamingo?)
• Attendees, please update https://intranet.mozilla.org/ConferencesSchedule/Blackhat2011
  • Party signups
  • Talk signups. Let's indicate which talks we're going to.
  • Dinner signups
• What should we discuss with PR beforehand?
  • Always ok to say "I don't know, I'll get back to you"
  • JIT compiler talk
  • SSL controversies (cert ui, dnssec, protocol holes)
  • Schedule a meeting? Start an email thread with BH attendees and PR team?

Anti-tampering: user.js

• http://blog.ryanparman.com/2011/07/07/remove-comcastxfinity-start-page-from-firefox-mac/
• https://bugzilla.mozilla.org/show_bug.cgi?id=672630
• dveditz suggests having user.js only override defaults, not user-set prefs
• Should we raise a PR stink about this?

Writing for the security blog

https://blog.mozilla.com/security/

• Information about team members
  • How to find us at Black Hat & DEF CON
  • Find us on irc in #security and #fuzzing
• Security features, EverythingElseSmash, Roadmap
  • Help us prioritize
  • Help us fix
• Help us figure out web compatibility impact of feature X we're contemplating. (Short posts are okay!)
• Success of CritSmash? Maybe not.
• What RapidRelease means for security
  • We can get security features into Firefox faster
  • Improves testing of fixes for security bugs, but constrains secrecy.
• Recent changes to the sec-review process. (Curtis will write this.)
  • Examples of successes (e.g. finding problems in CSS transitions implementation and in the ServerSentEvent spec)
  • Bugzilla keywords
  • How to subscribe to the calendar and dial in to meetings you're interested in
  • How we pick out features that need security reviews (when developers and product managers don't come to us)
  • When we hold meetings and when we just have one person poke at it
• Bug bounty winners. (Dan and Chofmann will write this.)
  • So far most bounty winners have said they're cool with us mentioning their names in public

XSS filter update (Riccardo)

• Will schedule security review

DNSSEC update (David Keeler)

• Tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=672239
• khuey has been helping :)
• Bsterne will schedule security review