Security/Meetings/2011-10-05

Non-feature work

• working group is going
• criteria is being discussed
• this list right now is overly granular, will need to be whittled down

Mobile Locale Picker

• is what they're doing with Aurora/Nightly in line with our best practices ?
  • currently done with xpi over plain http as an add-on for the locale
  • no, they should be protected in some fashion
• imelven will file a bug against nightly/aurora for this
• should we file a bug for release even though it's still 'in progress' ?
• imelven will file a bug for this - XML file should come over SSL, other XPI's come with hash over SSL
• there is javascript on AMO that installs addons, this gets the hash and downloads the file ddons, this gets the hash and downloads the file over SSL
  • should be done the way it's done for addon and client updates today

Mobile Permissions

• bug to explain why Fennec wants permissions
  • https://bugzilla.mozilla.org/show_bug.cgi?id=672352
  • need some help making this happen
• mbrubeck is thinking about writing a blog post on permissions for Fennec
• there's ongoing debate about asking for permissions we don't need yet for a better update flow as opposed to being very tight with permissions and only asking for things we actually use
• debate about whether writing the document will help - 'people only read the market description, don't follow links in it' - but we don't explain why we require whatever permissions anywhere
• imelven will check if there's a tool to audit permisisons on Android
• imelven will follow up with Michelle Luna (mobile SUMO)

Moz Camps

• attendance?
  • Gary - Kuala Lumpur
• curtis has been invited by Gen Kanai to one in Malaysia to talk sec via yammer

DerbyCon / Louisville Infosec roundup [curtis]

• Wiki-write up: https://wiki.mozilla.org/Security/Conferences/DerbyCon2011
• mentions of Moz/Curtis in other blogs
• invite Skydog Con (Nashville)

Sec Review Triage

• moved to Oct-12 in Zombocom
  • will cover untriaged radar items, bugs and assignments

Curtis Travel

• Trip 17-22 oct
  • will arrive late on 17 so will work from home till mid-day EST then depart

Blog post roundup

• http://lcamtuf.blogspot.com/2011/10/origin-is-forever.html
• Java
  • Johnath: The Eye of Sauron
• McAfee
  • https://addons.mozilla.org/en-US/firefox/blocked/i42
  • http://news.slashdot.org/story/11/10/05/1358241/firefox-advises-users-to-disable-mcafee-plugin
  • http://www.itworld.com/software/210093/firefox-advises-users-disable-mcafee-plugin
  • http://www.theregister.co.uk/2011/10/05/moz_mcafee_security_plugin_crash_warning/

DNT round-up

• http://blog.mozilla.com/privacy/2011/09/29/agreeing-on-do-not-track/
• W3C stuff is progressing. That is all.
  • the working group doesn't seem interested in creating a TPL (block list) spec.

Goals Discussion

• Remember: Q4 is a short quarter
• We generally try to have 3 goals per quarter, but may also list other planned activities.
• We've been asked to consider "mobile first", "how will we use telemetry", and "e10s"

Goals for other teams

• Click to play plugins
  • https://wiki.mozilla.org/Opt-in_activation_for_plugins
  • https://bugzilla.mozilla.org/show_bug.cgi?id=549697
  • there are WIP patches
  • we should discuss what sites should be whitelisted if any
  • mobile team really wants this for Flash - they are working with desktop folks so this may help push this along overall
• Networking team has committed to fixing sg:moderates and higher (older than Q4). Yay!
• [CARRY OVER] Land XSS auditor (waiting for mrbkap)
• EOL 3.6

Goals for us

• Telemetry/User Research ? - are there probes or Test Pilot studies we could use to get some useful info ?
  • Get stats on features we want to kill off (enablePrivilege, E4X <- done)
  • Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting)
    • this will help us decide how to prioritize (or de-prioritize) future work on SSL failures, revocation, mixed content work
• Privacy: unify our reviews (sec/priv) with User Data Council (UDC)
  • make it easy and smooth to get all the right eyeballs involved at the right times.
• Mobile Fuzzing
  • Get LangFuzz to ARM architecture (Linux/Tegra)
  • Get LangFuzz to mobile (Browser on Android)
    • LangFuzz mobile has dependency on Jetpack
• Get a plan for sec release quality finalized and ready to socialize (related to non-feature prioritization)

Other things we'll be doing

• Track Silent update & stub installer: encouraging them, but also help them be secure
  • Silent update meetings (Tue 10am PT)
  • https://wiki.mozilla.org/Program_Management/Programs/Silent_Update
• Evaluate malware-URL crash correlation and possibly get it productive
• Work with UX to improve Larry to show check marks (CSP, STS, STS for entire private suffix, all parts secure, all cookies secure, etc) http://etherpad.mozilla.com:9000/LarryChecklist
• Turn the sg:want list into a roadmap (on pause due to driving security bugs and waiting for non-feature consensus?)