Security/Meetings/2011-11-02

MozCamp EU [curtisk]

• New Security Features in Firefox > Talk curtisk has been asked to give
  • talk to mcoates for slides we might be able to reuse
  • Will send copy of presentation to team for review
  • would appreciate help in making sure I have things correctly shown & features covered
  • CSP | about:permissions | HSTS | DNT?

MozCamp Asia [gkw]

• No news about acceptance of talk yet
• Will work on the draft for "Fuzz-testing in Mozilla" this week
  • Based on the assumption that it gets accepted
  • Jesse has done similar talks before
  • Ideas welcome

Silent Update Security Questions [imelven]

• the question is whether it's ok for the updates dir to be world writeable
• the other issue is that they want us to weigh in on not requiring the callback application to be signed (which means you could inject any executable into another user's session)
• https://bugzilla.mozilla.org/show_bug.cgi?id=481815
• imelven will follow up in the bug and secteam will keep following this feature
• concerns include kiosks and malware and the fact other update systems have been targeted previously

TPAC Update

• WebAppSecurity Working Group
  • CSP is almost ready for CfC
  • IE 10 has CSP and the sandbox directive
  • Gathering requirements for an anti-clickjacking feature
  • CORS is close to final shipping modulo creating a test suite
• Tracking Protection Working Group[1]
  • DNT standardization is making progress
  • Tracking Protection public drafts have been approved by WG and will be published shortly.

Thoughts on Data Analysis

• curtisk sent some updates to the team
  • what's next?

Sync and mobile

• Product / fennec team considering changes to sync to just use username/password.
• Obviously this impacts what/how data could be stored.
• sstamm and imelven meeting with dougt to discuss later and find out what the plan is

Release criteria

• In main engineering goals https://intranet.mozilla.org/2011Q4Goals#Engineering
• Strawman criteria cutoff Nov 15
• Dashboard plus criteria prototype by end of Dec

Telemetry study

• Moving forward with SSL study
  • Collect cipher suites exchanged during handshake and negotiated cipher
  • Collect TLS/SSL version
  • Collect certificate key strength (bits)
  • Collect TLS/SSL certificate related errors
    • What kind of errors are our users encountering?
    • Domain mismatch, expired, untrusted issuer, etc
• There are no plans to collect any information that would be personally identifiable
  • I'm not sure if collecting the above set of data would be enough to be PII

Address Sanitizer in Firefox

• http://code.google.com/p/address-sanitizer/wiki/AddressSanitizer
• Valuable for security testing (esp. fuzzing)
• Help required: https://bugzilla.mozilla.org/show_bug.cgi?id=664901

Informational Links

• [1] Tracking Protection working group: http://www.w3.org/2011/tracking-protection/

Recently Completed SecReviews

• Sync Push to Device
• WebVibrator
• WebGL
• BrowserID C API