Security/Meetings/2011-10-19

Goals

We have four team goals this quarter:

• [NEW] Unify our security & privacy review operations with User Data Council work
  • Identify and document single point of contact for privacy+security by design.
  • Socialize flow for getting security/privacy/UDC involved early-on for in-flight aid in design and development.
• [NEW] Mobile Fuzzing
  • Get LangFuzz to ARM architecture (Linux/Tegra)
  • Get LangFuzz to mobile (Browser on Android) - has dependency on Jetpack
• [NEW] Finalize security criteria, ready to socialize along with a few other areas of non-feature work
• [NEW] Telemetry/User Research - prioritize feature development and code hygiene work
  • Get stats on features we want to end-of-life (enablePrivilege, etc)
  • Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting).

Start working on CA - scope of problems, avenues to explore, supporting experimentation

• Meeting at 2 PT today

MozCamps

• https://wiki.mozilla.org/MozCamp
• Evangelize security, both our team and processes, as well as security in general
• Gary is going to Malaysia. Nov 18-20
  • Main topic: High level fuzz-testing overview
  • Security bug bounties
  • (not yet notified Gen or Mary)
• Curtis is going to Berlin. Nov 10-14
  • Speaking: neurobiology of decision-making (?) > waiting to see if talk idea accepted
• If you're interested in going and/or talking, ask Mary and Gen if you can get yourself invited?

Etherpad

• Please use light/pastel background colors.
• The new “private pads” feature is not as easy to use as we hoped.

User Research/Studies

Effort estimates

What would it take to use TestPilot or Telemetry to do studies? Here are some rough estimates for each study we wish to deploy:

• TestPilot: (Roughly 3wks to data) ~1 week of coding, 2-5 days of UR team help, then duration of study deployment
  • Appropriate for web usage measurements (perhaps related to individuals' behaviors)
• Telemetry: (Roughly 3wks to limited data) ~1 week of coding, time for review (2-5 days), in nightly immediately
  • Bigger sample every six weeks (as it graduates to Aurora, Beta, Release)
  • Appropriate for software performance measurements and feature usage measurements.

Ideas for studies

Any study will require at least cursory privacy review.

• Previously: https://wiki.mozilla.org/Security/Meetings/2011-10-05#Goals_for_us
• Installation and use of plugins (Telemetry)
  • We already have installation data, and another team is planning to do this bug 695589
  • Privacy/Reviews/Telemetry/Encountered_Plugin_Types
• How users respond to various outdated-plugin UIs (Test Pilot)
• how many/which CA's and/or intermediates are seen?
• quality of certs seen? (key strength, cipher suites) maybe get that from ssllabs already

Malcrash

• Reached public alpha stage
  • Data automatically mined every day
  • Docs at https://intranet.mozilla.org/User:Choller@mozilla.com/Malcrash
  • Needs MPT VPN + your LDAP login (username without @mozilla.com)
  • bsterne and I will improve the design

Recently Completed SecReviews

• SPDY
• Silent Updates OS Dialogs
• Based Download Manager
• JetPack
• WebRTC

Recently Completed Privacy Reviews

• Client-Only F1

Action Items

• [dchan] will look at TP and telemetry studies to see how involved the coding is, and decide whether or not he wants to champion a study
• [curtisk] Process request: send reminder mail to secreview attendees day before