• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [:joes] Discuss https://mana.mozilla.org/wiki/display/SECUR

ITY/Data+Protection and community members that have access to Mozilla systems

• • Core contributors

Examples:

• • community members are in LDAP (dc=mozilla,o=net), some of them have SSH access to moco systems, such as upload{1,2}.dmz.scl3.mozilla.com (releng machine, ex "surf")

Callek's projects, machines (root), seamonkey, etc.

• [:joes] Discuss bug 842501. What's preventing us from serving firefox over https?

Atm: http://mozilla.org redirects to https://mozilla.org. Download links are served over https, and propose an https link for download. The download link then redirects to http (such as: http://download.cdn.mozilla.net/pub/mozilla.org/firefox/releases/19.0/linux-i686/en-US/firefox-19.0.tar.bz2 )

• • Likely a performance issue?
  • [dchan] not all our CDNs use SSL. the hash method allows those CDNs to serve firefox over HTTP. maybe we want to move toward only having SSL mirrors
  • there' s documentation, that explains a bit of the non-SSL process https://developer.mozilla.org/en-US/docs/Mozilla/Setting_up_an_update_server
  • Possible cost issue. Will pursue with IT
  • https://bugzilla.mozilla.org/show_bug.cgi?id=796109
• [:joes] Multifactor Authentication
  • will be a blog post in the future (kang)
• [mcoates] Java Updates
  • http://java-0day.com/
  • still vlunerable: http://www.h-online.com/security/news/item/Oracle-plugs-critical-Java-vulnerability-it-knew-of-in-February-1816210.html (there's a German version on heise.de which is more precisely wording that the researchers at "Security Exploration" still have 0day vulnerabilities reported to Oracle, which are unfixed)
• [mcoates] Pwn2Own

@zdi @pwn2own_contest

1. pwn2own

• • See http://dvlabs.tippingpoint.com/blog/2013/01/17/pwn2own-2013
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
    • [st3fan] Also, for more detail: https://people.mozilla.com/~sarentz/p/reviews/
• [psiinon] Zest demo (at end, for those interested)

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q4 2012: 50

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [gkw] Probing on orangutan / run-monkey.sh (UI fuzzer for Firefox OS)

Weekly notes: https://etherpad.mozilla.org/firefoxossecteammtg

Firefox Core

• [decoder, gkw] Still fuzzing baseline compiler and odinmonkey
• [decoder] Working on TSan ignores ( https://bugzilla.mozilla.org/show_bug.cgi?id=847350 )

MarketPlace

Web Apps

Services

Operation Security