SecurityEngineering/Jan2013WorkWeek/09-Big Things Brainstorm
Brainstorming future directions, things that we wanna see done.
1/17 at 10:15am
Session Lead: Sid
We talked about big things (1yr + projects) and figure out how we can raise their profiles.
NOTE: These are raw notes and will be changing rapidly for a while.
Feature Projects:
- Tracking Map/visualization tool [sid] This is a visualization tool that shows how sites can learn about you; it begins with first/third-party cookie tracking (showing which first-party sites facilitate tracking and which third-party sites actually track you cross-site), and builds upon that. Additionally, this tool will provide an interface to easily delete cookies and other state information for sites that you don't trust.
- Easy profile switching inside Firefox [sid,cviecco, tanvi] Users should have the ability to "log-in/log-out" of their profile in Firefox. The profile should be lockable (maybe encrypted on disk) and it should be trivial to switch between profiles through the Firefox menu or some similarly easy-to-identify UI element. Users will be able to identify which profile they're using too.
- Crypto API for web sites [ddahl, bsmith]
- Everybody knows what this is already
- Extensions API as well as a content API
- Unify/clean up security/privacy UI [cviecco, bsmith, tanvi]
- Reduce false positives for certificate errors
- Captive portal UI
- Fennec Andress Bar
- Consistency/parity between B2G, Android Phone, Android Tablet, and desktop security UI
- Single place, easily reachable for users to view/modify security/privacy settings (per site and/or globally).
- Better Cookie UI
- Separate complicated stuff to Advanced security and privacy sections
- Site Identity Revamp (who has the new design, or is working on it?)
- enable users to see all their data (privacy/telemetry dashboard), and manipulate it (e.g. you sent/received X MB of data to these sites, logged in Y times to foo, sent Z cookies) [mmc, cviecco]
- users should be able to see what data firefox/mozilla is collecting about them.
- see also: about:telemetry in Firefox 19+
- Forget sites, forget people. Sometimes users register for accounts or interact with sites that they wish they hadn't. Make it easy for a user to forget a site, which includes deleting cookies and history from that site, and (blue sky) helping them delete accounts that have been created on the site, or links on their cookie graph that were initiated from that site. Similarly, sometimes users interact with people that they regret later. If FB/Google/Twitter/etc have block APIs, enable users to forget people. [mmc]
- Alert users when they're about to make significant changes to their social graphs. When a user is about to make a change to their social graph (for example, associating the same email address with their flickr account as their linkedin account), warn them. [mmc]
- sandbox content & chrome [ian and his beer, bsmith, keeler]
- sandbox the Firefox process to reduce impact of exploitation - protect the OS from a compromised browser process and possibly protect the browser's data (history, passwords, bookmarks, certificates) from a compromised browser process
- define performance/safety/compatibility tradeoffs
- define security benefits
- roadmap for incremental implementation
- make extensions (xpis) sandboxable [keeler, bsmith, ian]
- determine the user impact of breaking extensions with the sandbox
- determine how much effort it is to port an extension from single-process firefox to sandboxed firefox
- determine how to allow extensions to maintain their functionality when sandboxed
- flavors of firefox or pref bundling for internet cafes, shared devices, free speech journos [sid, keeler]
- Need to identify use cases for these different "profiles"
- and then for each profile, identify recommended settings and add-ons.
- Output of this project is a table of these scenarios (use cases) and the recommended configurations for each. Perhaps also an add-on bundle.
- create a security/privacy -fox bundle [cviecco, tanvi]
Create a bundle of firefox that includes an addon or code that makes it super secure and super privacy preserving. Ex: disallow mixed images, require master password, disallow 3rd party cookies, maybe do something about third party javascript, don't send referrers, create new prefs for minimizing fingerprinting (passive and some active), click to play all plugins. Add features that we may not be able to provide to all firefox users (UX concerns and concerns about breaking sites) and measure their traction.
- Account repository [tanvi] - When turned on, records all sites that a user has created an account with or logged into, along with their username.
- Could use password manager for this (either remembering or not remembering the passwords)
- Good way for users to go back and delete accounts on webpages that they no longer need/want. (But maybe this is something that not many people want or care about.)
Operational Projects
- Clean up old code, delete crap [keeler]
- The linux kernel used to (still does?) have a code janitor program - we could do something similar (do we already?)
- Speed up SSL (TLS handshake negotiation, revocation, etc) [bsmith, cviecco, keeler]
- revocation: our own cert revocation list like the blocklist?
- TLS False Start and similar handshake jiggering
- Certificate validation performance improvements (OCSP caching, OCSP stapling)
- Better integration with networking stack prefetching
- More speculative connection handling
- "SPDY4" optimizations
- Measure user impact (positive and negative) of everything that we implement [mmc, bsmith]. When implementing new features, take into account:
- How much time it costs the user to interact with the feature.
- How many users actually interact with the feature.
- How much time it adds to page load.
- How many times the feature fires, and is expected to fire.
- Have a product and user story for everything we implement. We have a tough time explaining user impact, especially since a lot of the user benefits are indirect or otherwise hard to measure.
- eat our own dogfood (enable HSTS, CA pinning on all our properties) [also a goal for security assurance] [bsmith, cviecco, keeler]
- HSTS, CSP, key pinning for all *.mozilla.* and *.firefox.* properties [in preload lists, too?- yeah sure.]
- Minimal permissions in (Gaia) apps built by Mozilla and partners
- Figure out the expected cost of attacks (re-installing OS, getting new credit cards, death), expected probability of attacks, and triage all of our work accordingly [mmc, bsmith]. For example, what is the probability of a MITM attack, what is probability that a cert error is a false positive? These may be different for different classes of users. WEIS (http://weis2012.econinfosec.org/program.html) may have some actionable information.
Goals
- make all plugins obsolete/unnecessary [bsmith, keeler]
- Preconditions: move sites to HTML5/video
- Game APIs
- https by default (we can try https before http when connecting to sites) [bsmith, keeler]
- Crawler to inform HSTS preload list?
- Crawler to get cert/CA baseline?
- perhaps leverage data from the SSL Obersvatory
- make it more secure to share devices (locked profiles if users are sharing OS accounts) [UNOWNED, bsmith]
- Make people think of mozilla as the best provider of security and privacy, no matter what browser or device they use [mmc, bsmith]
- Lead through more than just our own software -- also through info sharing, contributing to other projects, and social outreach [bsmith]
- Guides for preferences we recommend on popular software (and other browsers)
Action Items
- [sid] fold the goals stuff into our strategy document
- [DONE] add minimal clarification for each feature/goal/project