Security/Meetings/2011-11-30
From MozillaWiki
Contents
- 1 Welcome Tanvi!
- 2 SecBugStats (curtisk)
- 3 Security Interaction (curtisk)
- 4 Mobile update (imelven)
- 5 2012 Conferences (imelven)
- 6 Incremental GC (jesse, gkw & decoder)
- 7 Extended support releases
- 8 Putting Firefox 3.6 out of its misery
- 9 TLS Telemetry Update (dchan)
- 10 Sec Blog Puzzles
- 11 Curtis's action items from last week(?)
- 12 Sec Blog Post Topics
- 13 Travel
- 14 Informational
Welcome Tanvi!
- bogarted by orientation
SecBugStats (curtisk)
- Final version sent to secteam for review
Security Interaction (curtisk)
- [curtisk] giving a brownbag on Dec-9 - Neurobiology of Decision Making
- [gkw] give talk he gave at mozcamp as a brownbag?
- [gkw] to look into it
Mobile update (imelven)
- about:home has landed, we should take a quick look at it (imelven will play with it, others are encouraged to try it in birch/nightly also)
- margaret is looking to help out on click to play - hopefully this will help push it along on desktop also
- this is a high prority for mobile to make the flash experience better
- local db (instead of system storage) - lucasr has a patch for this
- see https://bugzilla.mozilla.org/show_bug.cgi?id=704490#c6 for details, still a couple open issues
- User Agent switcher landed - this is NOT the UA change discussed on platform
- it lets you choose to reload a page with a hardcoded desktop UA
- default will be to use mobile for all sites - we want to make this sticky
per domain, across restarts even (persistent somehow)
- right now using hardcoded linux desktop string (including a static version number) - want to change
- session history and redirect are 'broken' - you've already been eredirected to the mobile
site and changing the UA won't change that
- it's _only_ forced when it's explicitly switched to 'desktop' by the user, otherwise the normal fennec UA is used with dynamic components
2012 Conferences (imelven)
- imelven has updated https://wiki.mozilla.org/Security/Conferences with
2012 dates of the conferences that i could find
- imelven is interested in attending INFILTRATE or Source Boston - lucas suggested discussing with bsterne as INFILTRATE is more offensive-focused (but has some very interesting talks on attacking sandboxing etc)
- schmoocon
- who is going - noone so far
- RSA
- Sid is on a panel @ RSA re: SSL
- do we usually attend this?
- no, not usually, but is good for press briefings and panel presence
Incremental GC (jesse, gkw & decoder)
- Write barriers (a prereq for incremental GC) have landed on mozilla-central
- The dependency tree of bug 641027 is "everything that can go wrong, does" at the moment. So we're probably not done finding bugs here.
- larch branch has been setup with experimental incremental GC
- [gkw, decoder, Jesse] We're pounding on it
- Some bugs have been found
- [gkw, decoder, Jesse] We're pounding on it
Extended support releases
- Kev is getting close to calling his proposal done. Then product managers decide whether we actually do an ESR. See dev-planning megathread
Putting Firefox 3.6 out of its misery
- Currently waiting on the outcome of the ESR proposal :(
TLS Telemetry Update (dchan)
- On track to have code complete by end of week
- probes in place for
- keysize
- generic SSL errors returned by PSM
- specific SSL errors exposed by nsISSLStatus.idl
- TODO: log ciphersuites
- FUTURE
- Log data from initial handshake
- Requires changes in NSS
- Log OCSP response data
- Log data from initial handshake
- To set a good example, we should include the Telemetry study here: Privacy/Reviews/Telemetry/Measurements, perhaps by creating a lightweight review and documenting it in detail.
- It will be included in the documentation. There should be no PII being collected
Sec Blog Puzzles
- [decoder] Post puzzles/riddles for readers to solve
- Wargame meeting this week was postponed, haven't worked on this yet
- Should we primarily create our own puzzles or do we want to use existing challenges
- e.g.: (popular) http://www.overthewire.org/
- Could we use our own old security bugs (that have been fixed/opened) and post them to spot what's wrong/come up with an exploit?
- https://bugzilla.mozilla.org/show_bug.cgi?id=162409 is a nice puzzle
- curtisk likes this idea as I think we should do our own stuff
- Very old, bad, fuzzbugs included?
- Should we primarily create our own puzzles or do we want to use existing challenges
- How do we operate this, e.g. do we announce winners continously? (could throw off less experienced people) We could also come up with a hall of fame, sorted by time solved (this is what other challenges do commonly) => own small website for the puzzles?
- take all correct answers and do a random draw for winner ?
- I don't think prizes make sense for old security bugs. The bugs are already public.
- [curtisk] Can use old bugs for ideas, or make variants
- [decoder] Coming up with good puzzles and grading are both a lot of work.
- Wargame meeting this week was postponed, haven't worked on this yet
Curtis's action items from last week(?)
- get hack of the month in Dec for Jan
- meeting with dveditz next week, can discuss then
- get puzzle by EOM Dec -> publish 1st week Jan
- working with decoder
- work with imelven on lightening talk
- will talk to Ian next week when I am in town
- imelven has been thinking about this, discussed a little with lucas and sid last week
- MDN articles
- meeting with mcoates & sheppy on Dec-7
- get hack of the month in Dec for Jan
Sec Blog Post Topics
- https://intranet.mozilla.org/SecurityTeam:EditorialCalendar
- please review the list
Travel
- curtis in MV next week
- Sid on PTO 1-5 Dec
Informational
Recent Security reviews
- https://wiki.mozilla.org/Security/Reviews/Firefox/Add-on_hotfix | Add-On Hotfix