Security/Meetings/2011-10-05

Non-feature work

is what they're doing with Aurora/Nightly in line with our best practices ?
- currently done with xpi over plain http as an add-on for the locale
- no, they should be protected in some fashion
imelven will file a bug against nightly/aurora for this
should we file a bug for release even though it's still 'in progress' ?
imelven will file a bug for this - XML file should come over SSL, other XPI's come with hash over SSL
there is javascript on AMO that installs addons, this gets the hash and downloads the file ddons, this gets the hash and downloads the file over SSL
- should be done the way it's done for addon and client updates today

bug to explain why Fennec wants permissions
- https://bugzilla.mozilla.org/show_bug.cgi?id=672352
- need some help making this happen
mbrubeck is thinking about writing a blog post on permissions for Fennec
there's ongoing debate about asking for permissions we don't need yet for a better update flow as opposed to being very tight with permissions and only asking for things we actually use
debate about whether writing the document will help - 'people only read the market description, don't follow links in it' - but we don't explain why we require whatever permissions anywhere
imelven will check if there's a tool to audit permisisons on Android
imelven will follow up with Michelle Luna (mobile SUMO)

moved to Oct-12 in Zombocom
- will cover untriaged radar items, bugs and assignments

Trip 17-22 oct
- will arrive late on 17 so will work from home till mid-day EST then depart

http://blog.mozilla.com/privacy/2011/09/29/agreeing-on-do-not-track/
W3C stuff is progressing. That is all.
- the working group doesn't seem interested in creating a TPL (block list) spec.

Remember: Q4 is a short quarter
We generally try to have 3 goals per quarter, but may also list other planned activities.
We've been asked to consider "mobile first", "how will we use telemetry", and "e10s"

Click to play plugins
- https://wiki.mozilla.org/Opt-in_activation_for_plugins
- https://bugzilla.mozilla.org/show_bug.cgi?id=549697
- there are WIP patches
- we should discuss what sites should be whitelisted if any
- mobile team really wants this for Flash - they are working with desktop folks so this may help push this along overall
Networking team has committed to fixing sg:moderates and higher (older than Q4). Yay!
[CARRY OVER] Land XSS auditor (waiting for mrbkap)
EOL 3.6

Telemetry/User Research ? - are there probes or Test Pilot studies we could use to get some useful info ?
- Get stats on features we want to kill off (enablePrivilege, E4X <- done)
- Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting)
  - this will help us decide how to prioritize (or de-prioritize) future work on SSL failures, revocation, mixed content work
Privacy: unify our reviews (sec/priv) with User Data Council (UDC)
- make it easy and smooth to get all the right eyeballs involved at the right times.
Mobile Fuzzing
- Get LangFuzz to ARM architecture (Linux/Tegra)
- Get LangFuzz to mobile (Browser on Android)
  - LangFuzz mobile has dependency on Jetpack
Get a plan for sec release quality finalized and ready to socialize (related to non-feature prioritization)

Track Silent update & stub installer: encouraging them, but also help them be secure
- Silent update meetings (Tue 10am PT)
- https://wiki.mozilla.org/Program_Management/Programs/Silent_Update
Evaluate malware-URL crash correlation and possibly get it productive
Work with UX to improve Larry to show check marks (CSP, STS, STS for entire private suffix, all parts secure, all cookies secure, etc) http://etherpad.mozilla.com:9000/LarryChecklist
Turn the sg:want list into a roadmap (on pause due to driving security bugs and waiting for non-feature consensus?)