SecurityEngineering/MeetingNotes/04-05-12
Contents
Standing Agenda
- Review currently active (P1) features against their established milestones, identify any blockers - https://wiki.mozilla.org/Security/Roadmap + https://wiki.mozilla.org/Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-29-12
Agenda for today
- Privacy roadmap structure
- sensitive data in the clear - https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted
- new csp directive no-user-js
- click to play - UX - https://wiki.mozilla.org/Opt-in_activation_for_plugins#2._Users_&_use_cases
- process sandboxing: Ian is looking at using the chromium sandbox and the techniques used by Adobe to make it work for Firefox!
Privacy Roadmap
Privacy roadmap stuff: URL: https://wiki.mozilla.org/Privacy/Roadmap And: https://wiki.mozilla.org/Privacy/Roadmap_2011
Major Changes / Goals / Vision
- SSL by default
- check https for a site before trying the http version
- show sensitive data that's not encrypted
- ssl search by default
- Tracking - https://wiki.mozilla.org/Privacy/Roadmap/Tracking
- Contextual Identity
- Super Paranoid Mode / Freedom browser
- fingerprinting, private browsing, surpressed referrer, data aging, no cache/history/etc?
- Way to easily change modes would help a lot - not just default profile and private browsing mode. Switch between profiles more easily.
- Guest mode (your friend needs to borrow your computer for a minute while they're at your home)
- Allow user to have multiple personalities -> Contextual Identities
- Multiple cookie jars
- Super Paranoid Mode / Freedom browser
Looking at Security Roadmap, some fall into the above categories. And others don't. Mitigations / Give developers/users way to protect themselves xss filters, csrf block, click to play, etc would fit into here. but what do we call this? We need to consider themes and outcomes.
Sensitive data in the clear
https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted Break into two features pages where type=password is a P1, rest is unprioritized.
New CSP directive - no-user-js
When set by website, causes different behavior in web console and scratchpad. Discuss in dev.security CSP is somethign the site wants the browser to enforce, but we don't really enforce it. Which seems odd, so lets see what dev.security says.
Click to play at UX Meeting
Discussed Sliding Window - you click to play 4 times, opt'ed in, then discussed why sliding window. Jared demo'ed click to play. wired into about:permissions currently. (Should be in permissions tab too.) Need to ask Jared what the details are on his strawman.
Process Sandboxing
Ian is looking at using the chromium sandbox and the techniques used by Adobe to make it work for Firefox!