: Etherpad users! We are developing an extension that will allow you to create pages from etherpads quickly and easily. Please visit our sandbox and help us test it.


From MozillaWiki
Jump to: navigation, search

Welcome Tanvi!

  • bogarted by orientation

SecBugStats (curtisk)

  • Final version sent to secteam for review

Security Interaction (curtisk)

  • [curtisk] giving a brownbag on Dec-9 - Neurobiology of Decision Making
  • [gkw] give talk he gave at mozcamp as a brownbag?
    • [gkw] to look into it

Mobile update (imelven)

  • about:home has landed, we should take a quick look at it (imelven will play with it, others are encouraged to try it in birch/nightly also)
  • margaret is looking to help out on click to play - hopefully this will help push it along on desktop also
    • this is a high prority for mobile to make the flash experience better
  • local db (instead of system storage) - lucasr has a patch for this
  • User Agent switcher landed - this is NOT the UA change discussed on platform
    • it lets you choose to reload a page with a hardcoded desktop UA
    • default will be to use mobile for all sites - we want to make this sticky

per domain, across restarts even (persistent somehow)

      • right now using hardcoded linux desktop string (including a static version number) - want to change
    • session history and redirect are 'broken' - you've already been eredirected to the mobile

site and changing the UA won't change that

  • it's _only_ forced when it's explicitly switched to 'desktop' by the user, otherwise the normal fennec UA is used with dynamic components

2012 Conferences (imelven)

2012 dates of the conferences that i could find

  • imelven is interested in attending INFILTRATE or Source Boston - lucas suggested discussing with bsterne as INFILTRATE is more offensive-focused (but has some very interesting talks on attacking sandboxing etc)
  • schmoocon
    • who is going - noone so far
  • RSA
    • Sid is on a panel @ RSA re: SSL
    • do we usually attend this?
      • no, not usually, but is good for press briefings and panel presence

Incremental GC (jesse, gkw & decoder)

  • Write barriers (a prereq for incremental GC) have landed on mozilla-central
    • The dependency tree of bug 641027 is "everything that can go wrong, does" at the moment. So we're probably not done finding bugs here.
  • larch branch has been setup with experimental incremental GC
    • [gkw, decoder, Jesse] We're pounding on it
      • Some bugs have been found

Extended support releases

  • Kev is getting close to calling his proposal done. Then product managers decide whether we actually do an ESR. See dev-planning megathread

Putting Firefox 3.6 out of its misery

    • Currently waiting on the outcome of the ESR proposal :(

TLS Telemetry Update (dchan)

  • On track to have code complete by end of week
  • probes in place for
    • keysize
    • generic SSL errors returned by PSM
    • specific SSL errors exposed by nsISSLStatus.idl
  • TODO: log ciphersuites
    • Log data from initial handshake
      • Requires changes in NSS
    • Log OCSP response data
  • To set a good example, we should include the Telemetry study here: Privacy/Reviews/Telemetry/Measurements, perhaps by creating a lightweight review and documenting it in detail.
    • It will be included in the documentation. There should be no PII being collected

Sec Blog Puzzles

  • [decoder] Post puzzles/riddles for readers to solve
    • Wargame meeting this week was postponed, haven't worked on this yet
      • Should we primarily create our own puzzles or do we want to use existing challenges
      • Could we use our own old security bugs (that have been fixed/opened) and post them to spot what's wrong/come up with an exploit?
    • How do we operate this, e.g. do we announce winners continously? (could throw off less experienced people) We could also come up with a hall of fame, sorted by time solved (this is what other challenges do commonly) => own small website for the puzzles?
      • take all correct answers and do a random draw for winner ?
    • I don't think prizes make sense for old security bugs. The bugs are already public.
      • [curtisk] Can use old bugs for ideas, or make variants
    • [decoder] Coming up with good puzzles and grading are both a lot of work.

Curtis's action items from last week(?)

    • get hack of the month in Dec for Jan
      • meeting with dveditz next week, can discuss then
    • get puzzle by EOM Dec -> publish 1st week Jan
      • working with decoder
    • work with imelven on lightening talk
      • will talk to Ian next week when I am in town
      • imelven has been thinking about this, discussed a little with lucas and sid last week
    • MDN articles
      • meeting with mcoates & sheppy on Dec-7

Sec Blog Post Topics


  • curtis in MV next week
  • Sid on PTO 1-5 Dec


Recent Security reviews