SecurityEngineering/MeetingNotes/04-25-13

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Q2 Goals Recap ( https://intranet.mozilla.org/2013Q2Goals#Security_Engineering )
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/04-18-13

Q2 Goals

  • [ON TRACK] land the application reputation scanning tool bug 662819 (mmc)
  • [ON TRACK] Turn Mixed Content Blocking on in Aurora (tanvi)
  • [ON TRACK] land classic cert validation replacement, off by default (bsmith)
  • [ON TRACK] land OCSP stapling support and tests (keeler)
  • [ON TRACK] Revamp the MDN documentation of CSP and Mixed Content Blocker.
  • [ON TRACK] Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux
  • [ON TRACK] Deploy pilot cookie study and publish results. (ddahl)

Agenda

  • Q2 Goals - recap
  • blushproof update
  • necko work week updates
  • Security Assurance workweek
  • meta referrer patch work progressing bug 704320
  • crude notes from NIST workshop (10-11 Apr)
  • Web Security Pane landed, add requests for errors to be logged there to bug 863874
  • sandboxing
  • Web Crypto WG

Q2 Goals

Blushproof

  • https://github.com/mozilla/blushproof/wiki
  • planning to launch next week
  • really cute logo
  • prompts user to ask if they want to enter private browsing mode for various sites in different categories - if they say no enough times, will stop asking about that category
  • blush this - does 'forget about this site' for the site you're on, adds site to the list you will be asked about
  • open question - how can users suggest additions to global site list?
  • needs to go through review to be on AMO, waiting on the privacy policy team to sign off on data collection
  • launch means publicize and try to get people to use it - we can all help !

Necko work week discussions

  • OCSP checks are slow (they are cached but for session only - on mobile this is particularly bad)
  • suggested approach: don't do OCSP checks by default, Must-Staple header, OCSP stapling
  • also considering CRLSets a la Chrome
  • Must-Staple has been proposed as a standard
  • persistent cache of OCSP responses (especially for mobile) - will probably live in Necko cache, not NSS cache
  • bsmith has a writeup of his proposal along these lines

Security Assurance Work Week

  • week of 5/6 in SF
  • meeting of the minds Tuesday 11 am 5/7 to coordinate our teams

Meta Referrer

  • see bug 704320
  • some students are working on this (awesome)
  • can turn off parts of the referer, always/never send it
  • site can control what's in the referer that gets sent coming from their site (e.g. Facebook)
  • right now going through redirector to strip user ID's etc, using meta referrer would save turns of network
  • sadly still stuck with misspelled header name 'referer' for all time :(

Sid's NIST workshop notes

Web Security Pane

  • there is a web security pane now - landed
  • grobinson rockin the party
  • file bugs for new logging etc blocking bug 863874

Ian Dishes on Sandboxing

  • everyone thinks it's awesome now
  • might do sandboxing for fennec
  • b2g/desktop: branch w/seccomp, looking for a usable whitelist
  • looking for prefect point to lock down process
  • there's a multiprocess pref in nightly (on larch?)
  • [Bug 862078] Use an about:config preference to control multiprocess browsing

Web Crypto W3C WG update (ddahl)

  • proposals around doing things with keys
  • trying to keep vendor-specific things in separate specs
  • today : high level API seems to have stalled out - but don't want to force a non useful API on developers