SecurityEngineering/MeetingNotes/03-28-13

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Q1 Goals Recap (https://intranet.mozilla.org/2013Q1Goals#Security_Engineering)
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-21-13

Agenda

  • Q1 Goals Recap
  • Q2 Goals
  • Http auth
  • Tweed Smoking Jackets and shaleighlieghs and whiskey.
  • Switch MV day next week for interviews/lunch ?
  • gsoc

Goals Recap

  • [miss] application reputation
  • [miss] PKIX by default - held up by review process and need to write tests, another approach being explored
  • [done] land mixed content UI v1
  • [done] getRandomValues - landed in Desktop, mobile, Firefox OS !
  • [done] CSP evangelization - CSP 1.0 not turned on in Nightly due to B2G mochitest issues with inline styles, did talk at BSides to promote CSP use, still want to do OWASP cheat sheet when 1.0 lands, spoke to Yvan about a dogfooding project and if there's a Security Champion that would be interested, going to discuss with him further on Monday
    • CSP on the AMA
  • [done] Analyze and publish results of Q4's security/privacy settings study
  • [done] Design cookie survey for test pilot (mmc)

Q2 Goals Brainstorming Continued

  • Sandboxing - more concrete picture next week, maybe some planning thing or something
  • land the application reputation scanning thing
  • Turn Mixed Content Blocking on by default
  • Something around fast profile switching
    • mock-up creation
      • Possibly GSOC (for Q3)
    • design some sort of user research study <-- execution would be the following quarter
      • how many people use different browsers, different devices, for what reasons?
    • pilot blushproof study (to identify potentially embarrassing topics, and how people navigate between them, and to lead to design of a more robust study via test pilot or something)
    • Deep private browsing mode study to see what the real use cases are.
  • Fix N {CSP, Mixed Content, iframe sandbox, ...} bugs
  • SSL key limits - technical enforcement of key size limits (fix this bug, advocacy, testing/telemetry) -- Caution: May have some dependencies that are hard to land
    • asked about in AMA
  • Ship key pinning (ambitious)
  • Identify clear path to certificate validation revamp (libpkix or otherwise)
  • Land OCSP Stapling and TLS 1.2 support
  • Establish a series or run a one-time training session for developers on some topic like XSS, CSRF, SSL, etc. Would include best practices and features like HSTS that can help.
  • Establish a series of "describe feature X" blog posts or MDN pages that help explain the things we've done and are working on. (What the feature does, and how it improves security or privacy.) Contextualize in terms of trends in web security, compare to approaches used by other browsers.
  • Overhaul MDN documentation of CSP
  • Improve searchability for "David Keeler" (SEO)
    • start new lifestyle
    • Change name to unique ID (David 92D16EEE-6A99-4584-8699-5D7B9D479453)
  • Write MDN documentation for mixed content blocker
  • Create, document and share our story for emergency revocation on FxOS (think diginotar, ComodoHacker, etc).

top list

  • land the application reputation scanning thing
  • Turn Mixed Content Blocking on by default
  • Land OCSP Stapling and TLS 1.2 support
  • Identify clear path to certificate validation revamp (libpkix or otherwise)
  • Make most excelllent the MDN documentation of CSP and Mixed Content Blocker.

Http Auth

Suggestion from Security Assurance AMA - Can Firefox support a way to actually log out of http auth? Sounds like a roadmap item.

any gsoc proposals left?

One paragraph proposals due tomorrow -