Security/Meetings/2011-10-26
From MozillaWiki
Contents
Password manager and autocomplete="off"
- (From last night's twitter conversation between @djcapelis, @jruderman, and @davidbaron)
- Password management lets you use stronger passwords and detect phishing more easily.
- But it hurts if your computer is stolen (or compromised by quickly-detected malware)
- Treat autocomplete=off as “This site suggests that you use OS account encryption or a Fx master password” rather than preventing users from saving passwords?
- Teachable moment? Master password, OS account password with full disk encryption, locking your screen, locking your computer to your desk, keeping plugins up to date.
- Treat autocomplete=off as a hint that the form contains a password which should be stored using a "high security" profile. (A separate high security password? Require master password for only these passwords? Something else?)
- If we need to fight a PR battle with the banks on this, now’s a good time. #OccupyHTML5
- Some sites use methods other than autocomplete="off" to prevent password storage. If you view this problem as “sites are abusing a feature”, won't sites switch to abusing other features? So maybe this is more of an evangelism problem.
- What if we ignored autocomplete="off" only when we can verify that the storage is secure?
- [decoder] We could ask banks why they're using autocomplete="off". Maybe their threat model has changed since the ~9 years ago they demanded support for the attribute.
- [bsterne] I have contacts at some banks (e.g. from CSP promotion)
- [bsterne] will add this to the Security Roadmap
- We should investigate whether there are external requirements (e.g. PCI) which are making certain sites use autocomplete=off
Plugin exploit data
- Even people with newest Firefox versions (3.6.23 and 7.0.1) are being exploited through old Flash and PDF plugins (possibly also Java)
- Might want to look out for other plugins down the list (e.g. Silverlight / .NET framework)
- Data of last 7 days from MDL at http://cm-fs01:8088/malinspect/search/?src=mdl&sincedays=7&exacturl=1
- Click to play would probably stop a lot of drive-by attempts
- although opting everyone (and every plugin) into click to play could be difficult - even Chrome doesn't do this with Flash at the moment
- Maybe we could do click-to-play for *old* versions of the plugin automatically?
- Decrypted version of blackhole exploit kit detection script at http://users.own-hero.net/~decoder/blackhole.txt
- click to start - https://bugzilla.mozilla.org/show_bug.cgi?id=549697
- option to toggle plugin between on/off/click to play
- [Jesse] Chrome's requirement of using a context menu (rather than just a left click) makes it significantly more secure
- Blocklisting without a good update story would be sadmaking.
- This just makes having a good update story that much more important.
- How hard would it be to have an okay update story for the top three plugins?
- [bsterne] to sync up with Asa on plugin blocklisting/updating
W3C TPAC 2011 @ Santa Clara Marriot
( or "Why bsterne won't be on PTO Mon and Tues")
- bsterne co-editing CSP spec w/ abarth
- http://www.w3.org/2011/11/TPAC/
- Web App Security WG meeting Monday and Tuesday (10/31, 11/1)
Testpilot / Telemetry studies
- potential topics
- Cert error clickthrus
- Cipher strength / algorithm
- Count of cert errors
- Cert errors on major sites
- Security UI effectiveness
- e.g. do people interact with Larry?
- and understand what they read?
- how do you measure understanding/misunderstanding?
- nsITelemetryBrainProbe.idl
- Ask them, in a lab setting (rather than using Telemetry / Test Pilot)
- We can give them a testpilot survey
- Test Pilot for UI, telemetry for other stuff
- how do you measure understanding/misunderstanding?
- and understand what they read?
- e.g. do people interact with Larry?
Recently Completed SecReviews
- CSS 3D Transforms
- Safe Browsing Fennec
- Silent Updates Eliminate Wait
- Cross Origin Attribute
- Sync Dialog
ASLR
- https://bugzilla.mozilla.org/show_bug.cgi?id=677797 backed out due to crashes :(
- Do we have a handle on these crashes? Is Ehsan equipped to and interested in tracking them down?
- http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Team Lunches
- Let's generally plan to have lunch together on Wednesdays at 11:30