- working group is going
- criteria is being discussed
- this list right now is overly granular, will need to be whittled down
Mobile Locale Picker
- is what they're doing with Aurora/Nightly in line with our best practices ?
- currently done with xpi over plain http as an add-on for the locale
- no, they should be protected in some fashion
- imelven will file a bug against nightly/aurora for this
- should we file a bug for release even though it's still 'in progress' ?
- imelven will file a bug for this - XML file should come over SSL, other XPI's come with hash over SSL
- should be done the way it's done for addon and client updates today
- bug to explain why Fennec wants permissions
- need some help making this happen
- mbrubeck is thinking about writing a blog post on permissions for Fennec
- there's ongoing debate about asking for permissions we don't need yet for a better update flow as opposed to being very tight with permissions and only asking for things we actually use
- debate about whether writing the document will help - 'people only read the market description, don't follow links in it' - but we don't explain why we require whatever permissions anywhere
- imelven will check if there's a tool to audit permisisons on Android
- imelven will follow up with Michelle Luna (mobile SUMO)
- Gary - Kuala Lumpur
- curtis has been invited by Gen Kanai to one in Malaysia to talk sec via yammer
DerbyCon / Louisville Infosec roundup [curtis]
- Wiki-write up: https://wiki.mozilla.org/Security/Conferences/DerbyCon2011
- mentions of Moz/Curtis in other blogs
- invite Skydog Con (Nashville)
Sec Review Triage
- moved to Oct-12 in Zombocom
- will cover untriaged radar items, bugs and assignments
- Trip 17-22 oct
- will arrive late on 17 so will work from home till mid-day EST then depart
Blog post roundup
- W3C stuff is progressing. That is all.
- the working group doesn't seem interested in creating a TPL (block list) spec.
- Remember: Q4 is a short quarter
- We generally try to have 3 goals per quarter, but may also list other planned activities.
- We've been asked to consider "mobile first", "how will we use telemetry", and "e10s"
Goals for other teams
- Click to play plugins
- there are WIP patches
- we should discuss what sites should be whitelisted if any
- mobile team really wants this for Flash - they are working with desktop folks so this may help push this along overall
- Networking team has committed to fixing sg:moderates and higher (older than Q4). Yay!
- [CARRY OVER] Land XSS auditor (waiting for mrbkap)
- EOL 3.6
Goals for us
- Telemetry/User Research ? - are there probes or Test Pilot studies we could use to get some useful info ?
- Get stats on features we want to kill off (enablePrivilege, E4X <- done)
- Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting)
- this will help us decide how to prioritize (or de-prioritize) future work on SSL failures, revocation, mixed content work
- Privacy: unify our reviews (sec/priv) with User Data Council (UDC)
- make it easy and smooth to get all the right eyeballs involved at the right times.
- Mobile Fuzzing
- Get LangFuzz to ARM architecture (Linux/Tegra)
- Get LangFuzz to mobile (Browser on Android)
- LangFuzz mobile has dependency on Jetpack
- Get a plan for sec release quality finalized and ready to socialize (related to non-feature prioritization)
Other things we'll be doing
- Track Silent update & stub installer: encouraging them, but also help them be secure
- Silent update meetings (Tue 10am PT)
- Evaluate malware-URL crash correlation and possibly get it productive
- Work with UX to improve Larry to show check marks (CSP, STS, STS for entire private suffix, all parts secure, all cookies secure, etc) http://etherpad.mozilla.com:9000/LarryChecklist
- Turn the sg:want list into a roadmap (on pause due to driving security bugs and waiting for non-feature consensus?)