Agenda

• Q2 Goals - recap
• Updates to the webconsole and potential duplicate messages
  • https://developer.mozilla.org/en/Security/MixedContent
• Web Developer Security Training Update - https://etherpad.mozilla.org/SA46DHDEsr
  • Volunteers, please, to run the follow-up talks (2.0 in the etherpad)
• Password Knight update
  • https://addons.mozilla.org/en-US/firefox/addon/password-knight/
  • Still a few bugs. Will write a blog post.
• Mixed content blocker
  • The Mixed Content and HSTS topic has surfaced this week (https://bugzilla.mozilla.org/show_bug.cgi?id=838395)
  • QA rough results
    • 77 sites / Alexa 1,000 have Mixed Content on Firefox
    • 60 sites ALL 3 browsers are blocking
    • 12 sites Not blocked on just Chrome (IE and Firefox block)
    • 3 sites not blocked on IE (Chrome and Firefox block)
    • 2 sites not blocked on IE or Chrome (only Firefox blocks)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=776278 (Auto-upgrade HTTP iframes to HTTPS). Do we need to do it?
  • Awesome bar autoupgrades urls to https - https://bugzilla.mozilla.org/show_bug.cgi?id=769994
  • nytimes.com evangelism? Evangelism plan:
    • Reports are coming in to the tracking bug
    • Finish the QA
    • File bugs with whiteboard flags (have contact, no contact, technical details included / not included)
    • Write a blog post to the community asking for help
• Goal Setting / Work Planning for Q3
  • Need to figure out a way to do this in a good way, and not at the last minute. Need a place to document potential work items and a way to reach agreement on what is important to work on.
• Password Security - bsmith
  • What is our strategy for password security?
    • Should this be high priority for us to address (as a major topic, not just a feature)?
  • https://wiki.mozilla.org/Security/Features/HighlightCleartextPasswords
  • Easy-to-fix (?), high-impact password security bugs
    • sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=759860 (don't auto-complete passwords for non-HTTPS sites; see the last comments in the bug because it is more nuanced than the summary makes it out to be).
    • sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=534541 (passwords of non-HTTPS sites can be stolen without user interaction; probably a dupe of bug 759860).
    • sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=873810 (Background tabs can force an HTTP auth prompt over the active tab to steal the user's credentials for the currently-active website)
    • sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=647010 (Only allow same-origin subrequests to request HTTP auth)
    • https://bugzilla.mozilla.org/show_bug.cgi?id=724182 (Gecko sends HTTP auth credentials in subrequests to unrelated resources)
    • https://bugzilla.mozilla.org/show_bug.cgi?id=613785 (Use a tab-modal dialog box for HTTP auth)
• PSM/NSS Documentation
  • https://bugzilla.mozilla.org/show_bug.cgi?id=838775
• OCSP stapling testing - bug 700693
• Meet-up: week of june 17, MTV