Security/Meetings/SecurityAssurance/2014-07-01

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »

Agenda

Firefox OS things that concern YOU :) - General Firefox OS status update (pauljt, freddy)

  • workweek @ july 14th+, 2.0 branched, homescreen visual refresh, sandboxing (:kang),

- Hawk (freddyb)

- Firefox Accounts (cr)

 * see https://wiki.mozilla.org/User:Cruetten/FxARev
 * Protocol behind FxA is called OnePW, see https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol
     * important to note that the FxA server never has the "real" derived decryption keys (for example used by Fx Sync), there are additional steps that are required to create the encrypt/decrypt keys on client side based on the real password

- BuddyUp (stephanie)

               (chat server)  http://buddyup.meatspac.es

- WebIDE potential for security (cr)

 * We're planning to move security-related functionality from app-validator to WebIDE
 * vulnerability scanners (ScanJS,...)
 * FxOS-specific features (easy browsing for permissions, web activities, IAC calls)
 * helps both developers and reviewers to spot security issues -ahh - reviewers' machines
 * future (far, far future) holds potential for live dabugging, dynamic data flow analysis

- Trusted Hosted Apps (pauljt, arroway)

  • Meta bug with initial patches: https://bugzilla.mozilla.org/show_bug.cgi?id=1016421
    • Add a "trusted" app type: web < trusted < privileged < certified
    • Would be hosted
    • Exposing a subset of privileged APIs (but didn't it turn out to be most of the non-certified privileges anyway?) < yes indeed
    • Enforce SSL
    • Certificate pinning
    • CSP: whitelist for trusted domains
  • Still some discussion about the benefits of such a hosted app (performance, security challenges, benefits in the updates workflow) compared with a packaged app

Developer Evangelism (mgoodwin) - can wait if we're short on time. And I can send email :)

  • We want to get more security people talking to developers (outside of Mozilla) - there's no point in preaching to the choir, so to speak
  • If you're interested in helping with dev. evangelism of security features (think CSP, HSTS), let myself or cheilmann know.
    • If you've done speaking before, try to get a copy of a slide deck (and, ideally, a video) so Chris can help with coaching. - count me in (psiinon) ++(arroway)
    • I've talked at Fosdem and will be talking at Java One this year (about ZAP) (psiinon) - yes - exactly that kind of thing Fosdem was videoed: https://www.youtube.com/watch?v=QG2RCZHMEkM
    • I've talked to some students developers and in some security meetups aimed at developers (videos on Airmozilla, but all in French so far...) (arroway)

^ [curtisk] is interested in helping

Team Updates (Silent)

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operations Security