Security/Meetings/2011-10-26

From MozillaWiki
Jump to: navigation, search

Password manager and autocomplete="off"

  • (From last night's twitter conversation between @djcapelis, @jruderman, and @davidbaron)
  • Password management lets you use stronger passwords and detect phishing more easily.
    • But it hurts if your computer is stolen (or compromised by quickly-detected malware)
  • Treat autocomplete=off as “This site suggests that you use OS account encryption or a Fx master password” rather than preventing users from saving passwords?
    • Teachable moment? Master password, OS account password with full disk encryption, locking your screen, locking your computer to your desk, keeping plugins up to date.
  • Treat autocomplete=off as a hint that the form contains a password which should be stored using a "high security" profile. (A separate high security password? Require master password for only these passwords? Something else?)
  • If we need to fight a PR battle with the banks on this, now’s a good time. #OccupyHTML5
  • Some sites use methods other than autocomplete="off" to prevent password storage. If you view this problem as “sites are abusing a feature”, won't sites switch to abusing other features? So maybe this is more of an evangelism problem.
  • What if we ignored autocomplete="off" only when we can verify that the storage is secure?
  • [decoder] We could ask banks why they're using autocomplete="off". Maybe their threat model has changed since the ~9 years ago they demanded support for the attribute.
    • [bsterne] I have contacts at some banks (e.g. from CSP promotion)
  • [bsterne] will add this to the Security Roadmap
  • We should investigate whether there are external requirements (e.g. PCI) which are making certain sites use autocomplete=off

Plugin exploit data

  • Even people with newest Firefox versions (3.6.23 and 7.0.1) are being exploited through old Flash and PDF plugins (possibly also Java)
    • Might want to look out for other plugins down the list (e.g. Silverlight / .NET framework)
    • Data of last 7 days from MDL at http://cm-fs01:8088/malinspect/search/?src=mdl&sincedays=7&exacturl=1
    • Click to play would probably stop a lot of drive-by attempts
      • although opting everyone (and every plugin) into click to play could be difficult - even Chrome doesn't do this with Flash at the moment
      • Maybe we could do click-to-play for *old* versions of the plugin automatically?
  • Decrypted version of blackhole exploit kit detection script at http://users.own-hero.net/~decoder/blackhole.txt
  • click to start - https://bugzilla.mozilla.org/show_bug.cgi?id=549697
    • option to toggle plugin between on/off/click to play
    • [Jesse] Chrome's requirement of using a context menu (rather than just a left click) makes it significantly more secure
  • Blocklisting without a good update story would be sadmaking.
    • This just makes having a good update story that much more important.
    • How hard would it be to have an okay update story for the top three plugins?
    • [bsterne] to sync up with Asa on plugin blocklisting/updating

W3C TPAC 2011 @ Santa Clara Marriot

( or "Why bsterne won't be on PTO Mon and Tues")

Testpilot / Telemetry studies

  • potential topics
    • Cert error clickthrus
    • Cipher strength / algorithm
    • Count of cert errors
    • Cert errors on major sites
    • Security UI effectiveness
      • e.g. do people interact with Larry?
        • and understand what they read?
          • how do you measure understanding/misunderstanding?
            • nsITelemetryBrainProbe.idl
            • Ask them, in a lab setting (rather than using Telemetry / Test Pilot)
            • We can give them a testpilot survey
              • Test Pilot for UI, telemetry for other stuff

Recently Completed SecReviews

ASLR

Team Lunches

  • Let's generally plan to have lunch together on Wednesdays at 11:30