SecurityEngineering/MeetingNotes/04-25-13
From MozillaWiki
Contents
Standing Agenda
- Q2 Goals Recap ( https://intranet.mozilla.org/2013Q2Goals#Security_Engineering )
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Additional Items
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-18-13
Q2 Goals
- [ON TRACK] land the application reputation scanning tool bug 662819 (mmc)
- [ON TRACK] Turn Mixed Content Blocking on in Aurora (tanvi)
- [ON TRACK] land classic cert validation replacement, off by default (bsmith)
- [ON TRACK] land OCSP stapling support and tests (keeler)
- [ON TRACK] Revamp the MDN documentation of CSP and Mixed Content Blocker.
- [ON TRACK] Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux
- [ON TRACK] Deploy pilot cookie study and publish results. (ddahl)
Agenda
- Q2 Goals - recap
- blushproof update
- necko work week updates
- Security Assurance workweek
- meta referrer patch work progressing bug 704320
- crude notes from NIST workshop (10-11 Apr)
- Web Security Pane landed, add requests for errors to be logged there to bug 863874
- sandboxing
- Web Crypto WG
Q2 Goals
Blushproof
- https://github.com/mozilla/blushproof/wiki
- planning to launch next week
- really cute logo
- prompts user to ask if they want to enter private browsing mode for various sites in different categories - if they say no enough times, will stop asking about that category
- blush this - does 'forget about this site' for the site you're on, adds site to the list you will be asked about
- open question - how can users suggest additions to global site list?
- needs to go through review to be on AMO, waiting on the privacy policy team to sign off on data collection
- launch means publicize and try to get people to use it - we can all help !
Necko work week discussions
- OCSP checks are slow (they are cached but for session only - on mobile this is particularly bad)
- suggested approach: don't do OCSP checks by default, Must-Staple header, OCSP stapling
- also considering CRLSets a la Chrome
- Must-Staple has been proposed as a standard
- persistent cache of OCSP responses (especially for mobile) - will probably live in Necko cache, not NSS cache
- bsmith has a writeup of his proposal along these lines
Security Assurance Work Week
- week of 5/6 in SF
- meeting of the minds Tuesday 11 am 5/7 to coordinate our teams
Meta Referrer
- see bug 704320
- some students are working on this (awesome)
- can turn off parts of the referer, always/never send it
- site can control what's in the referer that gets sent coming from their site (e.g. Facebook)
- right now going through redirector to strip user ID's etc, using meta referrer would save turns of network
- sadly still stuck with misspelled header name 'referer' for all time :(
Sid's NIST workshop notes
Web Security Pane
- there is a web security pane now - landed
- grobinson rockin the party
- file bugs for new logging etc blocking bug 863874
Ian Dishes on Sandboxing
- everyone thinks it's awesome now
- might do sandboxing for fennec
- b2g/desktop: branch w/seccomp, looking for a usable whitelist
- looking for prefect point to lock down process
- there's a multiprocess pref in nightly (on larch?)
- [Bug 862078] Use an about:config preference to control multiprocess browsing
Web Crypto W3C WG update (ddahl)
- proposals around doing things with keys
- trying to keep vendor-specific things in separate specs
- today : high level API seems to have stalled out - but don't want to force a non useful API on developers