SecurityEngineering/MeetingNotes/2013-04-14

Agenda 2014-4-14

CHAIR: Sid Stamm

Agenda:

• 2014 Q2 Goals
• heartbleed & heartbleat (i.e. our response)
  • Ideas: safe-browsing-like "warning" system, crlset-based warning system, addons, etc.
  • Lots of press
  • Addon for detecting vulnerable sites: coming soon.
  • How to detect without exploiting: https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-without-exploiting-the-server/
  • Would be cool if the addon could tell people *when* to change their password! grobinson on it. (And some preloaded sites.)
  • Example preload lists: https://github.com/musalbas/heartbleed-masstest#630-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc
• pinning mini-not-work-week - April 28 in Portland (mmc and cviecco? and keeler)
• EV display broken on session restore - help! (https://bugzilla.mozilla.org/show_bug.cgi?id=995801)
  • On startup, we don't want to block on network I/O. Displaying the EV indicator requires having revocation information. We currently don't persistently store that. So, no page loaded from the cache will have the EV indicator unless that revocation information is fetched in another network request (say by navigation or cache-clear-refresh).
• mozilla::pkix work list: https://etherpad.mozilla.org/mozilla--pkix