SecurityEngineering/MeetingNotes/04-11-13

From MozillaWiki

< SecurityEngineering‎ | MeetingNotes

Jump to: navigation, search

Contents

1 Standing Agenda
2 Agenda
3 Q2 Goals
- 3.1 top list
4 Mixed Content Blocker on mozilla sites
5 Logging Security Errors to the Webconsole

Standing Agenda

Q2 Goals Recap (https://intranet.mozilla.org/2013Q2Goals#Security_Engineering)
Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
Suggest additions or changes to roadmaps
Detailed discussion of features or outstanding issues as time permits
Additional Items
Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-04-13

Agenda

Q2 Goals
Mixed content
Logging Security Errors to the Web Console
- https://etherpad.mozilla.org/p2eDLTAb9w (brainstorm useful errors for different features)
Sandboxing / B2G Security summary:

  https://etherpad.mozilla.org/b2g-system-security

Q2 Goals

Relevant: https://wiki.mozilla.org/Platform/2013-Q2-Goals#Networking

top list

Code:

land the application reputation scanning thing (dri=mmc)
Turn Mixed Content Blocking on in Aurora (dri=tanvi)
land classic cert validation replacement, off by default (dri=bsmith, assist=cviecco)
land OCSP stapling support and tests (dri=keeler)
- Brian: when is NSS 3.15 landing on m-c? Answer: maybe today

Evangelism:

Make most excellent the MDN documentation of CSP and Mixed Content Blocker. (dri=imelven, assist=rforbes, tanvi)
Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux (dri=imelven)

Research:

Deploy pilot cookie study and publish results. (dri=ddahl)

Mixed Content Blocker on mozilla sites

HSTS and Mixed Content
- fyi: nsIStrictTransportSecurityService::isStsHost()
https://bugzilla.mozilla.org/show_bug.cgi?id=841613#c13 - Questions on whether the UI is discoverable
https://bugzilla.mozilla.org/show_bug.cgi?id=855399 - This seems like it is going to be a very large project.
Consider automatically replacing
- https-everywhere rules aren't trivial: https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules

Logging Security Errors to the Webconsole

the web console code expects nsIScriptError - would need to modify it if we want to start sending different/new errors to the web console
could subclass nsIScriptError
https://etherpad.mozilla.org/p2eDLTAb9w (brainstorm useful errors for different features)
plan: see if using nsIScriptError is sufficient for our needs. If not, potentially subclass or write a whole new class for security errors.

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/MeetingNotes/04-11-13&oldid=647898"