Security/Meetings/Automation/2015-05-12

From MozillaWiki
Jump to: navigation, search
  • Testing HPKP on input.mozilla.org
    • https://bugzilla.mozilla.org/show_bug.cgi?id=1088774
    • validation may need better tooling
      • can use xpcshell that uses firefox
      • shouldn't be too hard to do in zap (mgoodwin will give a shot, psiinon will review)
      • risk: DoS yourself if no backup digest provided, hpkp must have 2 digests for the pin to be taken into account, the 2nd pin doesn't need to be in the chain used to set the header
  • Building a set of small programs ("menagerie") that demonstrate specific security features:
    • hpkp, hsts, sri, csp, anti csrf, ...
    • we could give a real cert to docker images, but needs to be on an isolated domain
    • ansible & docker are good automation tools for this
  • MWoS 2015/16: who wants to participate?

Status Updates

  • jeff
    • DEF CON 23 presentation submitted for 'TSAWS'
    • Got myo working in MozDef, but stopped by...SSL!
  • mgoodwin
    • Talking in Sheffield (thinking out loud about PKI)
    • being generally appalled at how hard it is to do any x509 related stuff in any crypto libs
    • Menagerie ++^2