: Etherpad users! We are developing an extension that will allow you to create pages from etherpads quickly and easily. Please visit our sandbox and help us test it.


From MozillaWiki
Jump to: navigation, search

Prioritizing security features

  • Concern that we're falling behind Chrome and even IE on some security features
    • See Brandon's email to security-group (private list) for details on the concern
    • Fixing and blogging would be good PR in addition to protecting users and sites
  • "EverythingElseSmash": prioritization & getting help from the platform team
  • Brandon & Ian will be triaging the long list of sg:low and sg:want bugs next week
  • Should also ensure we have bugs on the security features that the Chrome & IE teams have been blogging about.
  • Grouping a set of related bugs into a project / feature page / metabug can help get people interested

Security roadmap changes

Black Hat

  • [chofmann] Hotel updates
    • Caesars extensions (e.g. for people staying for DEFCON) done
    • Caesars out of rooms, so late signups will be staying somewhere else (Flamingo?)
  • Attendees, please update https://intranet.mozilla.org/ConferencesSchedule/Blackhat2011
    • Party signups
    • Talk signups. Let's indicate which talks we're going to.
    • Dinner signups
  • What should we discuss with PR beforehand?
    • Always ok to say "I don't know, I'll get back to you"
    • JIT compiler talk
    • SSL controversies (cert ui, dnssec, protocol holes)
    • Schedule a meeting? Start an email thread with BH attendees and PR team?

Anti-tampering: user.js

Writing for the security blog


  • Information about team members
    • How to find us at Black Hat & DEF CON
    • Find us on irc in #security and #fuzzing
  • Security features, EverythingElseSmash, Roadmap
    • Help us prioritize
    • Help us fix
  • Help us figure out web compatibility impact of feature X we're contemplating. (Short posts are okay!)
  • Success of CritSmash? Maybe not.
  • What RapidRelease means for security
    • We can get security features into Firefox faster
    • Improves testing of fixes for security bugs, but constrains secrecy.
  • Recent changes to the sec-review process. (Curtis will write this.)
    • Examples of successes (e.g. finding problems in CSS transitions implementation and in the ServerSentEvent spec)
    • Bugzilla keywords
    • How to subscribe to the calendar and dial in to meetings you're interested in
    • How we pick out features that need security reviews (when developers and product managers don't come to us)
    • When we hold meetings and when we just have one person poke at it
  • Bug bounty winners. (Dan and Chofmann will write this.)
    • So far most bounty winners have said they're cool with us mentioning their names in public

XSS filter update (Riccardo)

  • Will schedule security review

DNSSEC update (David Keeler)