Security/Meetings/SecurityAssurance/2013-05-21
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- Next team meetup - in planning - Week Sept 16 - Paris
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
- Metrics
- Two Factor Auth Google Drive
- Your second factor can be a phone (SMS)
- can we get one of those token key things? (where do we get one) (YubiKey?)
- [mcoates] Map of bug filers to category (employment status, whether they focus on security)
- Only Google Drive users who have enabled TFA will be allowed to access this spreadsheet
- [gkw] Do we access this via the shared folder?
- [mcoates] no - it will be a new folder
- Only Google Drive users who have enabled TFA will be allowed to access this spreadsheet
- [Jesse] Do we need (or have we done) a security reviews for productivity software popular among Mozilla employees, especially when they have cloud sync features? (Things, Wunderlist, Evernote, Google Keep, Astrid (which just got bought by Yahoo))
- Things stores data in Google App Engine (reversed it a while ago :)
- [mcoates] These tools aren't on the list of approved cloud stores for Mozilla data
- [mcoates] So it's best if you don't use Things sync with confidential info
- [joes] Most of these tools don't have individual-user-level encryption
- [gkw] Networking (in SCL3?) broke when I updated my Linux machine.
- https://bugzilla.mozilla.org/show_bug.cgi?id=873710
- [Jesse] Are we the only ones who are even trying to update machines that IT gave us?
- [decoder] I updated mine and things were fine...
- [st3fan] Quick Minion Update
- dogfooding beginning with two internal websites (support, input.mozilla.org - staging sites)
- [pt] XSS & innerHTML (answered below, doesnt need vocalising)
- who knew that innerHTML wasn't idempotent (sp?)
- http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
- anyone aware of current bypasses of this?
- [Jesse] https://bugzilla.mozilla.org/show_bug.cgi?id=475216 was mentioned in Mario's presentation
- [Jesse] I'm not aware of others, but I haven't been thinking about this for long.
- [Jesse] Is there some subset of HTML, and some rule, that we could fuzz?
- [pt] not sure about that but I can give examples
- Does this affect our sites, Firefox OS apps, or Firefox UI use of innerHTML?
http://mxr.mozilla.org/gaia/source/apps/sms/js/fixed_header.js#57 v1.0.1 has 142 instances of "innerHTML" (though most assign from literals) Most apps use basic sanitisation routines like regexp: http://mxr.mozilla.org/gaia/search?find=%2Fapps%2F&string=escapeHTML
- [gkw] Anyone else going to Black Hat in Las Vegas?
- incl. Codenomicon, Defcon....
- Early bird registration for BH ends on 31 May 2013
- Tell Abillings this week if you're going!
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- OWASP EU Tour - The Trouble with Passwords - Bucharest, Romania June 5th (remote) (mgoodwin)
- OWASP EU Tour - Your Browser as a Security tool - Dublin, Ireland June 26th (mgoodwin)
- How To Avoid Online Security Headaches.
- FTC to Host Public Forum on Threats to Mobile Devices
- Michael Coates
- http://ftc.gov/opa/2013/02/mobilethreats.shtm
Planned Blog Posts
Security Review Status (curtisk)
- Completed in Q1 2013: 66
https://security-review-statistics.vcap.mozillalabs.com/weekly
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox Mobile
Firefox OS
- [cr] opened bug to request Remote Debugging timeout https://bugzilla.mozilla.org/show_bug.cgi?id=874484
- [pt] Review! email coming...
Firefox Core
- Eyes on Jetpack / protocol handling bugs: bug 779197 and 820213, please
MarketPlace
- [cr] trying to solve the multi marketplace threat with reputation, will suggest a Meta Marketplace ("marketplace for marketplaces") concept.