Security/Meetings/Automation/2014-11-04
From MozillaWiki
< Security | Meetings | Automation
Agenda
- status updates
- GPG api authentication token in MIG
GPG API Authentication
- Use HTTPS only, to avoid replay attacks (nonces are not cached)
- Suggested test cases to implement to protect against common attacks
- Timestamp in Header is not same as in Signature
- Nonce too short (consider alphanumeric charset or so?)
- Ensure that server time is correct regularly ?!
- I had another really great idea but I forgot.
Status Updates
- freddyb
- SRi things. rewriting the spec
- in essence: just scripts and styles.
- SRi things. rewriting the spec
- ulfr
- MIG
- back on mig code! lots of investigator management code, fairly boring but nice to have
- now designing an api authentication method
- TLS
- hkpk experiments in webops
- tls observatory stuff
- MIG
- jeff
- lua sucks
- beta testing Elastic Search "shield" security offering
- other folks want to use mozdef but it needs SAML auth
- blocked china in a demo..fun!
- mgoodwin
- No update
- security.cert_pinning.enforcement_level
- 0 means: no enforcement at all
- 1 means: hard fail for non-local roots (and other errors)
- 2 means: hard-fail, inc. local roots
- security.cert_pinning.process_headers_from_non_builtin_roots
- true = allow HPKP pins from local roots
- false = don't allow HPKP pins from local roots (default)
- https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/
- psiinon
- ZAP frozen for 2.4.0