SecurityEngineering/MeetingNotes/05-10-12
From MozillaWiki
Standing Agenda
- Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
- Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
- Suggest additions or changes to roadmaps
- Detailed discussion of features or outstanding issues as time permits
- Upcoming events, OOO/travel, etc.
Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/05-03-12
Security Roadmap
- Sign in to browser - ddahl
- landed some crypto stuff. key generation per domain per user
- Iframe Sandbox - imelven
- patch reviewed by smaug, got r- . needed some clean up, this is done- needed to add a couple of new test cases, one of these is done and needs to be debugged, other one needs to be writen
- while writing these new test cases, hit crash involving compartments. need to dig into this.
- no full team security review; dveditz and ian will do the review together - met once to discuss feature/spec, going to meet again to review test cases in the patch
- Low Rights Firefox - imelven
- research done, got some awesome feedback on first drafts of writeup, incorporated this feedback into a new revision of the writeup, now getting another round of feedback on the writeup before deciding where to send and/or publish the writeup
- working on implementing PoC currently
- Opt-in Activation for Plugins- keeler
- Phase 2
- Open question - invisible plugins. Oringially decided invislbe plugins of type x are played when a visible plugin of type x is clicked to play on the site. Rethinking that.
- Example - third party ad networks: Suppose user has a vulnerable verison of flash and visits news.foo.com. news.foo.com has a flash video on the recent elections. It also has an iframe to malvertising.com. The iframe to malvertising.com has a visible flash ad and an invisible flash element that tries to exploit the flash vulnreability. The invisible flash from malvertising.com shoudl not be enabled when the user clicks on the news.foo.com electin video.
- Decision - don't enable hidden instances of plugins unless the user explicity enables them via the doorhanger.
- CA Pinning - cviecco
- development is under way !
- Highlight Cleartext Passwords - tanvi
- Example screen shots:
- One idea: user has to hit the enter key twice to submit their password. If they click login button then it just submits (no double click needed). This might be good if the icon only shows up on focus.
- Group consensus- put the icon in all the time (not just onfocus) and move the websites placeholder over a few pixels (even if it means that their placeholder gets cut off at the end)
- https page post to http results in: https_post_http.png
- Group consensus - forget the postive indication
- Idea - When Click on the icon - doorhanger shows up with, "This will submit your password unencrypted, click here to go to the https version of the page." Because people who accidenlty click the icon may get confused if we redirect them on icon click.
- What if users run away scared? We should test on nightly and do user research first. And if we do end up doing it, need to have sufficient documentation/communication.
- Thumbs down
- How do we overlay the icon? Chrome overlay like click to play. Need to talk to some people to figure out how to do this.
- HTTPS Google Search
- In aurora! Blogged about it.
- Mixed Content Blocker - P2
- How to unblock:
- about:config
- Site Identity
- Permission manager - allow, ask everytime, per sesssion, expiration
- Infobar
- Will require a refresh to unblock.
- What icon would the user see in the site identity? - Triangle
- How many sites have script mixed content?
- How to unblock:
http://cl.ly/401E0Z3A0e1F3T2u1J3C - new icons that are coming. the site identity improvements are for Fx14 & Fx15, but hopefully all for Fx14
Additional Items
- User Specified CSP - https://wiki.mozilla.org/SummerOfCode/2012/UserCSP - What icon should we use?
