Security/Meetings/SecurityAssurance/2014-07-01
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, MTV 217 Star Trek
- Phone (US/Intl): 650 903 0800 x92 Conf: 95217#
- Phone (Toronto): 416 848 3114 x92 Conf: 95217#
- Phone (US): 800 707 2533 (pin 369) Conf: 95217#
Agenda
Firefox OS things that concern YOU :) - General Firefox OS status update (pauljt, freddy)
- workweek @ july 14th+, 2.0 branched, homescreen visual refresh, sandboxing (:kang),
- Hawk (freddyb)
- Firefox Accounts (cr)
* see https://wiki.mozilla.org/User:Cruetten/FxARev * Protocol behind FxA is called OnePW, see https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol * important to note that the FxA server never has the "real" derived decryption keys (for example used by Fx Sync), there are additional steps that are required to create the encrypt/decrypt keys on client side based on the real password
- BuddyUp (stephanie)
- Preliminary sec review: https://docs.google.com/a/mozilla.com/document/d/1kuMGUUZCD7xIw9jjjt7kjNGErKtcuBtpnvlq3dNIi2s/edit#
- No solution for authenticating a helper proposed yet (centralized with a web server?)
- Use of WebRTC/Loop VS WebSocket?
- Strong concerns about allowing remote control and disclosing private data
- Demo : (app) https://github.com/mozilla/buddyup
(chat server) http://buddyup.meatspac.es
- WebIDE potential for security (cr)
* We're planning to move security-related functionality from app-validator to WebIDE * vulnerability scanners (ScanJS,...) * FxOS-specific features (easy browsing for permissions, web activities, IAC calls) * helps both developers and reviewers to spot security issues -ahh - reviewers' machines * future (far, far future) holds potential for live dabugging, dynamic data flow analysis
- Trusted Hosted Apps (pauljt, arroway)
- Meta bug with initial patches: https://bugzilla.mozilla.org/show_bug.cgi?id=1016421
- Add a "trusted" app type: web < trusted < privileged < certified
- Would be hosted
- Exposing a subset of privileged APIs (but didn't it turn out to be most of the non-certified privileges anyway?) < yes indeed
- Enforce SSL
- Certificate pinning
- CSP: whitelist for trusted domains
- Still some discussion about the benefits of such a hosted app (performance, security challenges, benefits in the updates workflow) compared with a packaged app
Developer Evangelism (mgoodwin) - can wait if we're short on time. And I can send email :)
- We want to get more security people talking to developers (outside of Mozilla) - there's no point in preaching to the choir, so to speak
- If you're interested in helping with dev. evangelism of security features (think CSP, HSTS), let myself or cheilmann know.
- If you've done speaking before, try to get a copy of a slide deck (and, ideally, a video) so Chris can help with coaching. - count me in (psiinon) ++(arroway)
- I've talked at Fosdem and will be talking at Java One this year (about ZAP) (psiinon) - yes - exactly that kind of thing Fosdem was videoed: https://www.youtube.com/watch?v=QG2RCZHMEkM
- I've talked to some students developers and in some security meetups aimed at developers (videos on Airmozilla, but all in French so far...) (arroway)
^ [curtisk] is interested in helping
- AppSec EU Videos: https://2014.appsec.eu/live-streaming-event/ (psiinon)
- Meeting with Google on the 17th july in the Mozilla SF office. If attending make sure you're on the list at http://mzl.la/Tx66J0 (kang)
- REDACTED ** ;)