Security/Meetings/2011-11-30

From MozillaWiki
Jump to: navigation, search

Welcome Tanvi!

  • bogarted by orientation

SecBugStats (curtisk)

  • Final version sent to secteam for review

Security Interaction (curtisk)

  • [curtisk] giving a brownbag on Dec-9 - Neurobiology of Decision Making
  • [gkw] give talk he gave at mozcamp as a brownbag?
    • [gkw] to look into it

Mobile update (imelven)

  • about:home has landed, we should take a quick look at it (imelven will play with it, others are encouraged to try it in birch/nightly also)
  • margaret is looking to help out on click to play - hopefully this will help push it along on desktop also
    • this is a high prority for mobile to make the flash experience better
  • local db (instead of system storage) - lucasr has a patch for this
  • User Agent switcher landed - this is NOT the UA change discussed on platform
    • it lets you choose to reload a page with a hardcoded desktop UA
    • default will be to use mobile for all sites - we want to make this sticky

per domain, across restarts even (persistent somehow)

      • right now using hardcoded linux desktop string (including a static version number) - want to change
    • session history and redirect are 'broken' - you've already been eredirected to the mobile

site and changing the UA won't change that

  • it's _only_ forced when it's explicitly switched to 'desktop' by the user, otherwise the normal fennec UA is used with dynamic components

2012 Conferences (imelven)

2012 dates of the conferences that i could find

  • imelven is interested in attending INFILTRATE or Source Boston - lucas suggested discussing with bsterne as INFILTRATE is more offensive-focused (but has some very interesting talks on attacking sandboxing etc)
  • schmoocon
    • who is going - noone so far
  • RSA
    • Sid is on a panel @ RSA re: SSL
    • do we usually attend this?
      • no, not usually, but is good for press briefings and panel presence

Incremental GC (jesse, gkw & decoder)

  • Write barriers (a prereq for incremental GC) have landed on mozilla-central
    • The dependency tree of bug 641027 is "everything that can go wrong, does" at the moment. So we're probably not done finding bugs here.
  • larch branch has been setup with experimental incremental GC
    • [gkw, decoder, Jesse] We're pounding on it
      • Some bugs have been found

Extended support releases

  • Kev is getting close to calling his proposal done. Then product managers decide whether we actually do an ESR. See dev-planning megathread

Putting Firefox 3.6 out of its misery

    • Currently waiting on the outcome of the ESR proposal :(

TLS Telemetry Update (dchan)

  • On track to have code complete by end of week
  • probes in place for
    • keysize
    • generic SSL errors returned by PSM
    • specific SSL errors exposed by nsISSLStatus.idl
  • TODO: log ciphersuites
  • FUTURE
    • Log data from initial handshake
      • Requires changes in NSS
    • Log OCSP response data
  • To set a good example, we should include the Telemetry study here: Privacy/Reviews/Telemetry/Measurements, perhaps by creating a lightweight review and documenting it in detail.
    • It will be included in the documentation. There should be no PII being collected

Sec Blog Puzzles

  • [decoder] Post puzzles/riddles for readers to solve
    • Wargame meeting this week was postponed, haven't worked on this yet
      • Should we primarily create our own puzzles or do we want to use existing challenges
      • Could we use our own old security bugs (that have been fixed/opened) and post them to spot what's wrong/come up with an exploit?
    • How do we operate this, e.g. do we announce winners continously? (could throw off less experienced people) We could also come up with a hall of fame, sorted by time solved (this is what other challenges do commonly) => own small website for the puzzles?
      • take all correct answers and do a random draw for winner ?
    • I don't think prizes make sense for old security bugs. The bugs are already public.
      • [curtisk] Can use old bugs for ideas, or make variants
    • [decoder] Coming up with good puzzles and grading are both a lot of work.

Curtis's action items from last week(?)

    • get hack of the month in Dec for Jan
      • meeting with dveditz next week, can discuss then
    • get puzzle by EOM Dec -> publish 1st week Jan
      • working with decoder
    • work with imelven on lightening talk
      • will talk to Ian next week when I am in town
      • imelven has been thinking about this, discussed a little with lucas and sid last week
    • MDN articles
      • meeting with mcoates & sheppy on Dec-7

Sec Blog Post Topics

Travel

  • curtis in MV next week
  • Sid on PTO 1-5 Dec

Informational

Recent Security reviews

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Meetings/2011-11-30&oldid=374598"