Agenda

• Goals
• CA/B Forum recap
• Mixed Content
• third party cookies discussion

Goals Recap

• https://intranet.mozilla.org/2013Q1Goals#Security_Engineering
• Looking okay!

CA/B Forum recap

• gTLD discussion -- what about internal hosts and publicly trusted PKI
• we discussed things that are only important to CA/SSL -types.

Mixed Content

Needed to Turn the Pref on in Hopefully FF 21 by Feb 18th

• https://bugzilla.mozilla.org/show_bug.cgi?id=834836 - Turn pref on by default - Need to fix tests.
• https://bugzilla.mozilla.org/show_bug.cgi?id=781018 - Telemetry and try uplifting to 19, 20 and 21.

Before Beta

• https://bugzilla.mozilla.org/show_bug.cgi?id=837351 - Webconsole + Error Console alerts when Mixed Content is Blocked - needs updated patch
• https://bugzilla.mozilla.org/show_bug.cgi?id=839238 - Lots of Documentation
• https://bugzilla.mozilla.org/show_bug.cgi?id=822373 - Learn More pages for Mixed Content Blocker - michael verdi
• https://bugzilla.mozilla.org/show_bug.cgi?id=839235 - shouldLoad called twice
• https://bugzilla.mozilla.org/show_bug.cgi?id=837959 - Cached Media doesn't go through content policies - waiting review
• https://bugzilla.mozilla.org/show_bug.cgi?id=838402 - Update Site Identity messages
• https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent
• https://bugzilla.mozilla.org/show_bug.cgi?id=418354, and https://bugzilla.mozilla.org/show_bug.cgi?id=456957 - Block https->http redirects.

The Rest

• https://bugzilla.mozilla.org/show_bug.cgi?id=838403 - Missing call for setting flag for mixed display blocked - needs a test.
• https://bugzilla.mozilla.org/show_bug.cgi?id=836811 - needs a test, but has already landed in central
• https://bugzilla.mozilla.org/show_bug.cgi?id=815345 - Session Restore with document.write - see https://people.mozilla.com/~tvyas/sessionrestore.html
• https://bugzilla.mozilla.org/show_bug.cgi?id=836352 - Active vs Passive plugin sub requests - Long term bug, start engaging the right folks
• https://bugzilla.mozilla.org/show_bug.cgi?id=800098 - HSTS will be blocked before it's enforced.
  • Inconsistency between first time visitor and second time visitors to an hsts embedded page.
  • https://blog.mozilla.org/ embeds that redirects to the https version.
  • What should the correct behavior be?
• https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - users have a choice to disable mixed content on iframes. What should the correct behavior be?
• v2 Technical Information section that shows what is blocked.
• UI tweaks
  • Make mixed content blocker more discoverable - https://bugzilla.mozilla.org/show_bug.cgi?id=834828
  • Strike through https - https://bugzilla.mozilla.org/show_bug.cgi?id=834830
  • UI Redesign Tweaks - https://bugzilla.mozilla.org/show_bug.cgi?id=827595

Research!

• password stats - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AnujPp0bAzAvdDhVTnZuSTROamcwSGh0aGRZSDJNdmc#gid=6

Internship/Mentorship project brainstorming

e.g., dev tools, mini projects, add-ons, etc

• see https://wiki.mozilla.org/Security/Mentorship
• HSTS crawler for preload list
• Wordpress CSP plugin (update it for CSP 1.0)
• Developer tools for securing a site:
  • mixed content help is a good start
  • https://etherpad.mozilla.org/securityreport - https://bugzilla.mozilla.org/show_bug.cgi?id=781147
• Fast profile switching prototype (add-on or something) to study how people interact with it
• HTTPS by default for address bar
• Auto-fix SSL errors (e.g. detect system time set wrongly, foo.com -> https://www.foo.com redirects automatically
• Certificate error reporting (send cert chain) to Mozilla (we want this for CA pinning) (telemetry: See bug 707275) but also a "report this to Mozilla" link
• Cookie Tagging (mgoodwin is working on this... mebbe help)
• CSP 1.1 experimental features
  • Paths
  • CSP Sandbox
• Firefox OS cert manager
• Web App CSP generator
• Android Firefox client certs
• Android Firefox cert viewer (or larry for android)
• Firefox OS Cross-app auth manager
• remove the auth mechanism that tries to login you in if you type @ in url (userPass in nsIURI)
• RFC 1918 address space isolation (bug 354493)