Security/Meetings/SecurityAssurance/2014-03-18

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • "Frankencert" paper: http://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
    • They fuzzed certs to create certs that would be accepted by one SSL engine and rejected by another
    • They found an API footgun in NSS, which affected Google Chrome
  • mozpkix (formerly insanity::pkix) will be turned on by default soon
    • Camilo will write about it for the security blog?
    • Should we have a special bug bounty for mozpkix?
      • We should probably have a bounty multiplier of some sort for areas we want researchers to focus on. Saves the problem of managing a separate or special program.
        • Sure, a bounty multiplier and/or "even though it's not in Nightly yet" exception [bounty branch for experimental features that we will pay for?]
  • Send an email to your manager with ideas you have for what you would hope to accomplish at a Security work week
  • Everybody should read the International Journal of PoC || GTFO :-) [freddy]
  • Security Reports

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

Security Review Status (curtisk)

  • Completed in Q1:

https://security-review-statistics.vcap.mozillalabs.com/weekly

Metrics

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security