Security/Meetings/2011-08-31

All-hands travel (lucas)

• make sure you have it, and all is worked out

Roadmaps and feature pages (sid)

• Fleshing out feature pages for our area
  • curtisk will assist with inbox triage
• If you know of features we need make pages or get with Curtis and Sid for assistance

CAs

• ding dong a root is dead

Proposal for improvement of Security Review process (decoder)

• A sequence diagram/interaction diagram/data flow could help us understand the feature
  • this is more neccessary for deeper reviews and not initial reviews
  • would be very helpful for theat modeling, testing plans, & penetration testing
  • would help find areas of risk in the design that may not otherwise be evident
• We need to come up with a criteria and a model that everyone is comfortable with and that is not too heavy

Sync changes

• they want to change the crypto
• possibly give users option of _not_ having their sync key (??), and instead using just username and password
• maybe useful for pancake
• not clear what is the problem they're trying to solve (hard to scope their changes without knowing what they are trying to address)
• first draft of feature/idea by end of week

Mobile etc update (ian)

• Plugins are coming to mobile. Experimental builds have Flash, with click-to-play. Will be in nightlies soon.
• App model?
  • when you're an app, when you're in browser - there's different models across devices/platforms/in browser content vs app for things like geolocation. Ian is going to talk to tarend (mobile product manager) to try and come up with a survey of how permissions vary across the landscape, to work out where mobile Firefox lands on that spectrum. the driver here is security/permission models around new stuff from WebAPI and also the forthcoming mobile web app work where web content gets 'promoted' to an app with an increase in permissions.

Community Involvement in Security (curtisk)

• what should this be?
• what would a "job" post for a volunteer look like?
• How can we reach out to community members who are interested in security, and let them know what we could use help with?
  • Blogs, conferences
  • Backlog of want/low/moderate bugs
    • bsterne could mark some of them with the whiteboard tag [good first bug]
  • Twitter account aggregating our blog posts and tweets, with official messages tweeted directly
    • Ask PR for their thoughts, and what they think of tools like CoTweet

Telemetry privacy

• Sid would like help looking at a backlog
  • how do we get to it?

Blog post roundup

From the Mozilla community

• http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
• http://blog.cdleary.com/2011/08/understanding-jit-spray/
• http://blog.mozilla.com/sfink/2011/08/25/contexts-and-compartments/
• Jesse's posts on rapid release
  • http://www.squarefree.com/2011/08/25/rapid-releases-and-security/
  • http://www.squarefree.com/2011/08/25/secure-and-compatible/
  • http://www.squarefree.com/2011/08/25/improving-intranet-compatibility/

From our friends

• http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2
• http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html

Upcoming posts

• bsterne is drafting a reply to http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html
• jesse is drafting a post about root cause analysis of JS engine security bugs

Events

• http://www.silisec.org/ tomorrow night in Sunnyvale

New internal weekly report (bsterne)

http://bsterne/test/secbugstatsreport.html

• now breaks bug counts by team (rather than component)
• now includes a "total risk score" where crits are 5 points, etc
• let's add sg:want bugs, but with a weight of 0
• coming soon: graph