SecurityEngineering/MeetingNotes/04-12-12

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Review currently active (P1) features against their established milestones, identify any blockers - https://wiki.mozilla.org/Security/Roadmap + https://wiki.mozilla.org/Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-29-12

Security Roadmap

  • Click to Play -
    • question of determining popular vs uncommon plugins.
    • How do we know whether plugins that we don't know about are up to date?
    • We need per domain permission persistence. (Right click; Site preferences/permission)
  • Iframe Sandbox - hope to get worker related changes done, along with tests and attribute change by next week's meeting and be in the review/feedback cycle by then
  • Process Sandbox - idea of what we want to come out of it. want to rework the high level threat model and update the feature page. List of sandbox options and what would need to change for each to work. - aiming to have something rough by end of April
  • CA Pinning
    • Made two bugs. The exploration seems like this is not too dificult to implement (would be very similar to HSTS).
    • The enhancement of permissions manager for this seems to have a green light. The actual use of these permissions on connection is still on design.
  • B2G App security model
    • going through APIs.
    • Guillaume and Paul documenting process/OS security.
  • Highlight Cleartext Passwords - exploration stage.
  • DOMCryptAPI & IdentityAPI

https://wiki.mozilla.org/Privacy/Features/DOMCryptAPI

Additional Items