Security/Meetings/SecurityAssurance/2014-03-18
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- "Frankencert" paper: http://www.cs.utexas.edu/~shmat/shmat_oak14.pdf
- They fuzzed certs to create certs that would be accepted by one SSL engine and rejected by another
- They found an API footgun in NSS, which affected Google Chrome
- mozpkix (formerly insanity::pkix) will be turned on by default soon
- Camilo will write about it for the security blog?
- Should we have a special bug bounty for mozpkix?
- We should probably have a bounty multiplier of some sort for areas we want researchers to focus on. Saves the problem of managing a separate or special program.
- Sure, a bounty multiplier and/or "even though it's not in Nightly yet" exception [bounty branch for experimental features that we will pay for?]
- We should probably have a bounty multiplier of some sort for areas we want researchers to focus on. Saves the problem of managing a separate or special program.
- Send an email to your manager with ideas you have for what you would hope to accomplish at a Security work week
- Everybody should read the International Journal of PoC || GTFO :-) [freddy]
- Security Reports
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
Planned Blog Posts
- [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
- [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
Security Review Status (curtisk)
- Completed in Q1:
https://security-review-statistics.vcap.mozillalabs.com/weekly
Metrics
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with