Security/Meetings/Automation/2014-11-04

From MozillaWiki
Jump to: navigation, search

Agenda

GPG API Authentication

  • Use HTTPS only, to avoid replay attacks (nonces are not cached)
  • Suggested test cases to implement to protect against common attacks
    • Timestamp in Header is not same as in Signature
    • Nonce too short (consider alphanumeric charset or so?)
    • Ensure that server time is correct regularly ?!
    • I had another really great idea but I forgot.

Status Updates

  • freddyb
    • SRi things. rewriting the spec
      • in essence: just scripts and styles.
  • ulfr
    • MIG
      • back on mig code! lots of investigator management code, fairly boring but nice to have
      • now designing an api authentication method
    • TLS
      • hkpk experiments in webops
      • tls observatory stuff
  • jeff
    • lua sucks
    • beta testing Elastic Search "shield" security offering
    • other folks want to use mozdef but it needs SAML auth
    • blocked china in a demo..fun!
  • mgoodwin
    • No update
    • security.cert_pinning.enforcement_level
      • 0 means: no enforcement at all
      • 1 means: hard fail for non-local roots (and other errors)
      • 2 means: hard-fail, inc. local roots
    • security.cert_pinning.process_headers_from_non_builtin_roots
      • true = allow HPKP pins from local roots
      • false = don't allow HPKP pins from local roots (default)
    • https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/
  • psiinon
    • ZAP frozen for 2.4.0