SecurityEngineering/MeetingNotes/09-13-12

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Q3 Goals Recap -
    • Implement security model for basecamp
    • Achieve go / no-go for Firefox sandboxing
    • Land "final" Click to Play experience (address correctness and UX)
    • Ship CSP compliant with W3C 1.0 spec (also helps B2G)
    • Lead security/privacy dev community event or workshop
  • Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/09-05-12

Goals

  • [ON TRACK] Security Model for basecamp
  • [DONE] Sandboxing - we have a plan (Windows 8 metro) and buy into this plan from Asa
  • [ON TRACK] C2P user experience is on track
  • [AT RISK] CSP 1.0 compliance -- slightly less left to do, still hacking away
  • [DROPPED] community event or workshop

Roadmap

3rd party cookies

  • backend reviewed and ready to land, UI is next, it's 'pretty small'

CA pinning

  • first patch will land in NSS 3.14/FF18
  • patches refactored to help with the patches a contributor is working on
  • and to help with other things
  • now targeting FF19 for static pins

Click to Play

  • "about 2-3 weeks" left
  • keeler got feedback from shorlander, that needs to be addressed
  • feedback loop is taking some time
  • might not be able to uplift to 17
  • can land on 18 which will then go to Aurora shortly

Mixed Content

  • ready to land Part 1, apart from one blocker : tests failing on Android - tanvi is debugging and building fennec. (Part 1 is backend, where blocking is opt-in)
  • Part 2 not started yet. (Part 2 is UI, where mixed script is blocked by default)

CSP 1.0 compliance

WebCrypto API

  • first draft of the spec is up !!!

Test Pilot Survey Questions

https://id.etherpad.mozilla.org/passwords

Marketing Security & Privacy Features

  • https://etherpad.mozilla.org/SecurityPrivacyFeatures
  • divide into features more for users and more for developers ?
  • Security and Privacy Brown Bag for Mozilla employees, the community, and the public. Going through some of the stuff we've finished, and what we are actively working on now. This will help with telling the world about the awesome sec/privacy features firefox has. And perhaps get people intersted in helping with them :)