SecurityEngineering/MeetingNotes/04-11-13
From MozillaWiki
Contents
Standing Agenda
- Q2 Goals Recap (https://intranet.mozilla.org/2013Q2Goals#Security_Engineering)
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-04-13
Agenda
- Q2 Goals
- Mixed content
- Logging Security Errors to the Web Console
- https://etherpad.mozilla.org/p2eDLTAb9w (brainstorm useful errors for different features)
- Sandboxing / B2G Security summary:
https://etherpad.mozilla.org/b2g-system-security
Q2 Goals
Relevant: https://wiki.mozilla.org/Platform/2013-Q2-Goals#Networking
top list
Code:
- land the application reputation scanning thing (dri=mmc)
- Turn Mixed Content Blocking on in Aurora (dri=tanvi)
- land classic cert validation replacement, off by default (dri=bsmith, assist=cviecco)
- land OCSP stapling support and tests (dri=keeler)
- Brian: when is NSS 3.15 landing on m-c? Answer: maybe today
Evangelism:
- Make most excellent the MDN documentation of CSP and Mixed Content Blocker. (dri=imelven, assist=rforbes, tanvi)
- Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux (dri=imelven)
Research:
- Deploy pilot cookie study and publish results. (dri=ddahl)
Mixed Content Blocker on mozilla sites
- HSTS and Mixed Content
- fyi: nsIStrictTransportSecurityService::isStsHost()
- https://bugzilla.mozilla.org/show_bug.cgi?id=841613#c13 - Questions on whether the UI is discoverable
- https://bugzilla.mozilla.org/show_bug.cgi?id=855399 - This seems like it is going to be a very large project.
- Consider automatically replacing
- https-everywhere rules aren't trivial: https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
Logging Security Errors to the Webconsole
- the web console code expects nsIScriptError - would need to modify it if we want to start sending different/new errors to the web console
- could subclass nsIScriptError
- https://etherpad.mozilla.org/p2eDLTAb9w (brainstorm useful errors for different features)
- plan: see if using nsIScriptError is sufficient for our needs. If not, potentially subclass or write a whole new class for security errors.