Standing Agenda

• Q4 Goals Recap ( https://wiki.mozilla.org/SecurityEngineering/2013/Q4Goals )
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.
• Planning for next meeting (chair selection, etc)

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/2013-11-07 Q4 Goals:

• Sandboxing
  • Outcome: Next set of steps towards a exploit-containing platform.
  • DRI: sid (+keeler +christoph)
  • Tasks:
    • [DONE] Implement: Chromium-sandbox: make it possible to compile and activate on mozilla-central - (keeler + bbondy)
    • [ON TRACK] Implement: b2g/e10s security feature tests: Get CSP tests passing in e10s with help from overholt on platform team (garrett + sid + mwobensmith)
    • [DONE] Implement: enable seccomp-bpf for linux desktop - bug 935111 (christoph)
      • This is done when we have the syscall whitelist for every platform (not just x86_64)
• Roadmaps
  • Outcome: More visibility and aim for our team's projects.
  • DRI: monica (+sid +garrett +cviecco +briansmith)
  • Tasks:
    • [ON TRACK] Consult: security roadmap update (sid + briansmith + product teams)
      • in progress - should have something next week
    • [ON TRACK] Consult: privacy roadmap update (monica + sid + product teams)
    • [ON TRACK] Consult: anonymity (tor) roadmap update (sid + mikeperry)
• NetSec
  • Outcome: Massive improvement in channel security for SSL sites that want protection from decryption.
  • DRI: briansmith (+cviecco)
  • Tasks:
    • AT RISK - bug 878932 (briansmith + cviecco)
    • [DONE] Implement: TLS 1.2 enabled on nightly requires server intolerance + telemetry (cviecco + briansmith)
• Mixed Content wrap up
  • Outcome: Mixed script is blocked widely on the web in a stable way (and has no more urgent follow-ups.)
  • DRI: christoph (+tanvi)
  • Tasks:
    • [ON TRACK] Implement: redirect bug - bug 418354 (see Bug 878890)
    • [DONE] Implement: don't show mixed content on http pages - bug 909920
    • Template:Ok: missing notification - bug 915951 (see Bug 934843)
    • [DONE] Implement: persistency for child tabs - bug 906190
• CSP
  • Outcome: Wider adoption of CSP when Firefox supports these features (and beginning of CSP v1.1)
  • DRI: garrett (+sid)
  • Tasks:
    • [DONE] Implement: script nonce landed behind a pref. bug 855326 (garrett + sid)
    • [ON TRACK] Implement: script hash landed behind a pref. bug 883975 (garrett + sid)
    • [DONE] Evaluate: profile CSP on desktop and B2G to develop a plan to optimize CSP by rewriting in C++ or otherwise (https://bugzilla.mozilla.org/show_bug.cgi?id=924337#c26) [garrett + christoph] (FAST PATH PROOF: bug 927493)

Agenda 21-Nov-2013

CHAIR: Sid

• Q4 Goals Recap
• Security & Privacy reviews
  • mmc noticed the throughput of the priv/sec reviews seems low
  • seemingly, nobody wants to take ownership on closing the bugs
  • Sid will report back
• Security Roadmap
  • https://wiki.mozilla.org/Security/Roadmap
  • Top-level outcomes: (1) Firefox the safest platform (2) Web the safest platform (3) HTTPS is default. Are we missing any?
• tracking strategy pitch: https://docs.google.com/a/mozilla.com/document/d/1K-D-f9F8XRSgWQv9qsUpkDQ5RJQYtacUfY0I9e4iJM4/edit#
  • only scoped to well-behaved advertisers

Action Items for next week:

• (sid) find out about sec/priv reviews and report back
• (all) look at security roadmap, tell Sid if there are outcomes missing (high-level goals we want to do or are working on)