Security/Meetings/2012-01-18
From MozillaWiki
Contents
- 1 Click-to-play Plugins(keeler)
- 2 Meeting time
- 3 This etherpad
- 4 Openwebapps (dchan)
- 5 Team Embedding
- 6 Mobile Security Testing (decoder)
- 7 (Mobile) Fuzzing Meeting after this meeting (decoder)
- 8 Fuzzing on VMs (gkw)
- 9 Mobile and shipping Fennec Native 1.0 (imelven)
- 10 Security Questionnaire PoC (decoder)
- 11 Blog Post Draft (decoder)
- 12 Aurora/Nightly Updates on mobile (imelven)
- 13 XSS Filter (imelven)
- 14 Any other business
- 15 Communications (curtis/abillings)
- 16 Recent Security Reviews
Click-to-play Plugins(keeler)
- Try builds:
- Uses context menu/popup menu, explicit permissions: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dkeeler@mozilla.com-18015545af29/
- Straight click-to-play, implicit permissions (3 activations whitelists a plugin (by source uri) on a site): http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dkeeler@mozilla.com-e98398afecac/
Meeting time
- meeting time
- possible solutions
- Meeting is at a good time AUS every 2 weeks (10 AUS/15 PST/18 EST/00 GER), and a good time GER every other 2 weeks (10 GER / 01 PST/ 04 EST/19 AUS)
- possible solutions
(16 GER/07 PST/10 EST/
- [decoder] Would be fine with a permanent 00 slot for Germany. Most of the time I'm awake then anyway.
This etherpad
- Move to https://security.etherpad.mozilla.org/ and make public only after the meeting? It's weird to have to ask whether something is public before typing it at all.
- consensus is the open etherpad is fine for team meetings
Openwebapps (dchan)
- Notes from last weeks workweek meeting
- We have an action item to determine which APIs require more stringent controls
- API metabug https://bugzilla.mozilla.org/show_bug.cgi?id=673923
- wiki https://wiki.mozilla.org/WebAPI
- APIs that could cause privacy leaks, cost user money seem to be good choices
- mhanson suggested focusing on telephony and contacts initially
- We will need to create a process on for "approving" new APIs
- Goal is to be able to look at API and say it needs the following checks / conditions to be true
- e.g. webapp must be served over SSL, webapp must prompt every time
Team Embedding
- In general, one main point of contact for each area.
https://wiki.mozilla.org/Security/TeamEmbedding#Who_is_embedded_where.3F
- If you're on the list, you are accountable to be point for this team (they should know you and contact you with security needs)
Mobile Security Testing (decoder)
- Doug and Brad from mobile team added more information to https://etherpad.mozilla.org/mobile-security-testing (Thanks to imelven for pinging them on this)
- If you're looking for stuff to test/review on mobile that isn't covered by FF on desktop, this list should help
- If you know about something mobile specific that isn't covered on desktop, add it there :)
(Mobile) Fuzzing Meeting after this meeting (decoder)
- Scheduled as 1:1 between decoder and gkw, but some stuff might be interesting to others who want to do mobile testing
- https://etherpad.mozilla.org/fuzzmtg
Fuzzing on VMs (gkw)
- Some work on getting fuzzing (jsfunfuzz) on a WinXP VM, with a Mac Lion host.
- With the refactoring done last week, it is now much easier to do so.
- Not mathematically measured, but single thread perf seems to take a 2x - 4x hit. (VM was set to dual core, 3Gb RAM)
- autoBisect disabled for WinXP due to problems with spaces in directories
- Temp directory is in Documents and Settings, the spaces of which break pymake
Mobile and shipping Fennec Native 1.0 (imelven)
- elancaster has asked 'what does mobile need to do security wise to ship 1.0 of the Fennec Native UI build
- meeting with her at 2 pm today to discuss
- would be great to have some solid answers to give her
- imelven currently thinks : not too much - i am tracking bugs/doing code reviews of some pieces
- there are outstanding issues from XUL fennec like geolocation prompting and sdcard usage but these shouldn't stop natve fennec
- looking for input from the rest of the team if there are reviews people feel we still need to do or questions we would like answered
Security Questionnaire PoC (decoder)
- Available at https://users.own-hero.net/~decoder/secreview/
- Radio Button triggers further questions
- Submit button doesn't do much yet (will soon send an email with results)
- Questions for web services (when answering "No" to first question), not fully included yet. Answering "No" there brings the questionnaire more into infrasec area, ping them about it?
- Feedback appreciated
- Next steps:
- get feedback from previous secreview participants
- if possible have them use the form as if it were actually being used
- questions about usage, what they like, what they don't like, etc
Blog Post Draft (decoder)
- Covers ASan and Clang Static Analysis
- Provides unofficial ASan builds for Linux and static analysis results (both on p.m.o)
- Feedback appreciated
- planned publish 24-Jan
Aurora/Nightly Updates on mobile (imelven)
- update.xml is downloaded over SSL
- APK (android package) is signed by us but downloaded over http
- app needs to have same signature as app it's updating but there's a possibility
it could be another signed app that would then be installed (but not replace existing fennec)
- ideas :
- download hash over SSL, check hash against downloaded APK
- check signature is same as installed fennec - blassey isn't sure Android APIs can do this
- seems like a bug should be filed - imelven thinks this is sg:moderate
- thoughts ?
XSS Filter (imelven)
- https://bugzilla.mozilla.org/show_bug.cgi?id=528661
- this seems stalled
- can we do anything to unstall it? imelven would like to see this land,
since both IE and Chrome have XSS protection and Firefox does not.
- asked riccardo to ping jst to see if anyone other than mrbkap can do the review or get started reviewing the patch to move it along
- sid & ian will talk to jst
Any other business
- gkw upcoming PTO
- Away Friday Jan 20 - Wed Jan 25 night inclusive
- Hope to be back Jan 26.
Communications (curtis/abillings)
- blogging policy
- where to do edits of blog posts (random named pages is fine)
- first draft text file emailed to PR first, then our private etherpad for our team.
- Tue meeting security section usage
- https://intranet.mozilla.org/SecurityTeam:EditorialCalendar
Blog
!Contributor; !!Week Of; !!Topic |decoder || 23-Jan-2012|| | sid || 6-Feb-2012||
BrownBag
- Jan: -gkw - Fuzzing @ Mozilla 30-Jan 1PM
- Feb- Imelven\
- ideas?? still looking for ideas.
Lightning talk
!Contributor; !!Month Of; !!Topic |dveditz||Jan|| |Sid||Feb||