Standing Agenda

• Q2 Goals Recap ( https://intranet.mozilla.org/2013Q2Goals#Security_Engineering )
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-18-13

Q2 Goals

• [ON TRACK] land the application reputation scanning tool bug 662819 (mmc)
• [ON TRACK] Turn Mixed Content Blocking on in Aurora (tanvi)
• [ON TRACK] land classic cert validation replacement, off by default (bsmith)
• [ON TRACK] land OCSP stapling support and tests (keeler)
• [ON TRACK] Revamp the MDN documentation of CSP and Mixed Content Blocker.
• [ON TRACK] Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux
• [ON TRACK] Deploy pilot cookie study and publish results. (ddahl)

Agenda

• Q2 Goals - recap
• blushproof update
• necko work week updates
• Security Assurance workweek
• meta referrer patch work progressing bug 704320
• crude notes from NIST workshop (10-11 Apr)
• Web Security Pane landed, add requests for errors to be logged there to bug 863874
• sandboxing
• Web Crypto WG

Q2 Goals

• https://intranet.mozilla.org/2013Q2Goals#Security_Engineering

Blushproof

• https://github.com/mozilla/blushproof/wiki
• planning to launch next week
• really cute logo
• prompts user to ask if they want to enter private browsing mode for various sites in different categories - if they say no enough times, will stop asking about that category
• blush this - does 'forget about this site' for the site you're on, adds site to the list you will be asked about
• open question - how can users suggest additions to global site list?
• needs to go through review to be on AMO, waiting on the privacy policy team to sign off on data collection
• launch means publicize and try to get people to use it - we can all help !

Necko work week discussions

• OCSP checks are slow (they are cached but for session only - on mobile this is particularly bad)
• suggested approach: don't do OCSP checks by default, Must-Staple header, OCSP stapling
• also considering CRLSets a la Chrome
• Must-Staple has been proposed as a standard
• persistent cache of OCSP responses (especially for mobile) - will probably live in Necko cache, not NSS cache
• bsmith has a writeup of his proposal along these lines

Security Assurance Work Week

• week of 5/6 in SF
• meeting of the minds Tuesday 11 am 5/7 to coordinate our teams

Meta Referrer

• see bug 704320
• some students are working on this (awesome)
• can turn off parts of the referer, always/never send it
• site can control what's in the referer that gets sent coming from their site (e.g. Facebook)
• right now going through redirector to strip user ID's etc, using meta referrer would save turns of network
• sadly still stuck with misspelled header name 'referer' for all time :(

Sid's NIST workshop notes

• https://wiki.mozilla.org/User:Sidstamm/Notes_April_2013_NIST_CA_Workshop

Web Security Pane

• there is a web security pane now - landed
• grobinson rockin the party
• file bugs for new logging etc blocking bug 863874

Ian Dishes on Sandboxing

• everyone thinks it's awesome now
• might do sandboxing for fennec
• b2g/desktop: branch w/seccomp, looking for a usable whitelist
• looking for prefect point to lock down process
• there's a multiprocess pref in nightly (on larch?)
• [Bug 862078] Use an about:config preference to control multiprocess browsing

Web Crypto W3C WG update (ddahl)

• proposals around doing things with keys
• trying to keep vendor-specific things in separate specs
• today : high level API seems to have stalled out - but don't want to force a non useful API on developers