Standing Agenda

• Q1 Goals Recap (https://intranet.mozilla.org/2013Q1Goals#Security_Engineering)
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-28-13

Agenda

• Q2 Goal setting
• NIST workshop: http://www.nist.gov/itl/csd/ct/ca-workshop-agenda2013.cfm
• w2sp paper got in (sid and mmc). Congrats!
• fyi - monday april 15th, stanford security workshop - http://forum.stanford.edu/events/2013security.php - don't worry about registration being closed. maybe i can find someone to email.
• meeting agenda item: bsmith proposes tuesday in SF

Q2 Goals Setting

Relevant: https://wiki.mozilla.org/Platform/2013-Q2-Goals#Networking

top list

Code

• land the application reputation scanning thing (dri=mmc)
• Turn Mixed Content Blocking on in Aurora (dri=tanvi)
  • [done] land on inbound
• land classic cert validation replacement, off by default (dri=bsmith, assist=cviecco)
• land OCSP stapling support and tests (dri=keeler)

Evangelism

• Make most excellent the MDN documentation of CSP and Mixed Content Blocker. (dri=imelven, assist=rforbes, tanvi)
• Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto Windows (dri=imelven)

Research

• Deploy pilot cookie study and publish results. (dri=ddahl)

secret list DO NOT READ THIS

Security Errors Panel in Web Console (dri=grobinson)

• Demo as extension (a la JS Terminal: http://paulrouget.com/e/fxterminalv3/)
• fyi bug 846918 is this for HSTS

Web Security Training (dri=tanvi, assist=rforbes)

• Improve searchability for "David Keeler" (SEO) (dri=keeler)
  • start new lifestyle
  • It should be noted that anonymity is nice, {embrace} it

rest of the list

• Security errors panel in the web console
• Sandboxing - more concrete picture next week, maybe some planning thing or something
• Turn Mixed Content Blocking on by default
• Something around fast profile switching
  • mock-up creation
    • Possibly GSOC (for Q3)
  • design some sort of user research study <-- execution would be the following quarter
    • how many people use different browsers, different devices, for what reasons?
  • pilot blushproof study (to identify potentially embarrassing topics, and how people navigate between them, and to lead to design of a more robust study via test pilot or something)
  • Deep private browsing mode study to see what the real use cases are.
• Fix N {CSP, Mixed Content, iframe sandbox, ...} bugs
• SSL key limits - technical enforcement of key size limits (fix this bug, advocacy, testing/telemetry) -- Caution: May have some dependencies that are hard to land
  • asked about in AMA
• Ship key pinning (ambitious)
• Identify clear path to certificate validation revamp (libpkix or otherwise)
• Land OCSP Stapling and TLS 1.2 support
• Establish a series or run a one-time training session for developers on some topic like XSS, CSRF, SSL, etc. Would include best practices and features like HSTS that can help.
• Establish a series of "describe feature X" blog posts or MDN pages that help explain the things we've done and are working on. (What the feature does, and how it improves security or privacy.) Contextualize in terms of trends in web security, compare to approaches used by other browsers.
• Overhaul MDN documentation of CSP
• Improve searchability for "David Keeler" (SEO)
  • start new lifestyle
  • Change name to unique ID (David 92D16EEE-6A99-4584-8699-5D7B9D479453)
• Write MDN documentation for mixed content blocker
• Create, document and share our story for emergency revocation on FxOS (think diginotar, ComodoHacker, etc).
• Brian's NSS/PSM-related suggestions
  • 1. Deal with RC4 issue
    • a) Countermeasures in HTTP
    • b) Countermeasures in Websockets
    • c) Countermeasures in SPDY
    • d) Interaction with False Start
    • e) TLS 1.2
  • 2. PSM/NSS tests for SSL and certificate functionality in mozilla-central
  • 3. Turn off OCSP fetching in favor of OCSP stapling and short-lived certificates.
    • a) OCSP stapling Needs to wait until 5 is done.
    • b) caching for stapled responses - blocked (a)
    • c) must-staple bit (via HTTP header) - blocked on (a)
    • d) Plan (not necessarily implement) CRLSet mechanism
    • e) Write up the rationale for turning off OCSP/CRL fetching
  • 4. TLS False Start -> goal of networking team
  • 5. Fix certificate path discovery problem (i.e. migrate to libpkix or insanity::pkix)