SecurityEngineering/MeetingNotes/06-21-12

Security Roadmap

• CA pinning
  • talked with NSS folks, they like the approach
  • they're going to review Camilo's patch
  • going to have static (built in) and dynamic pins (set via header)
  • hope to have at least static pins landing in FF 17
• Opt in activation
  • waiting on UX still - shorlander has said he will look at it, will gently ping
• Iframe sandbox
  • waiting on review from smaug
• Mixed content blocker
  • still discussing UX with folks
  • bsterne's patch is now r? ! this will let us differentiate in the UI between mixed display and mixed script
• HSTS Preload List
  • currently hardcoded - 100 sites
  • https://bugzilla.mozilla.org/show_bug.cgi?id=760307
  • keeler's patch is up for review !
• Low Rights Firefox
  • Sandboxing will possibly break parts of java. We will continue working on a poc
  • We knew addons would be a problem, but didn't realize java would be a problem too.
  • How do others solve this problem?
  • Facebook video chat uses java
  • Any in process plugin is going to be a problem. Not break all plugins/java, but some plugins/java. Depends what they are trying to do?
  • Need to dig more on if Java is OOP or not - dveditz thinks it is

Additional Items

gkw joins us to provide some interesting commentary on his visit to Mozilla China :

• Plugins are used significantly in China (banking, media support)
• China plugins (List of the most common, ):
  • Alipay
  • taobao (see https://login.taobao.com/member/login.jhtml?f=top&redirectURL=http%3A%2F%2Fwww.taobao.com%2F ) - has a security related plugin, anti-keylogger perhaos ?
  • QQMusic (music.qq.com) - apparently because Firefox does not support MP3 (yet?) via HTML5
  • youdao
  • tenpay
  • unionpay
  • cctv
  • sina
  • qzone.qq.com (QQ2011)
  • QQ also has a download / downloader called xunfeng?
  • mail.qq.com
  • mail.163.com
  • mail.sina.com
  • xunlei
• Safe browsing green icon on the address bar. If it's red then get the red page. But if it is a known good page, it iwll show a green icon in address bar (like star for bookmarks). If unknonw its gray.
• New version of IE in metro mode won't have any plugins. Any activex banking won't work in China.
  • marketshare of IE in metro mode won't likely increase till years later since the majority of folks in China are using Windows XP
• domcrypt - secondary use case, interface that allows you to sign content. starting to build a low enough level API you could do some of the crypto that you would have typcially needed plugins to do in the past. lower level API you can use higher level tools with.
• Language barriers. Keyboard issues. Inputting chinese very difficult (so search box useless). So have a lot of portal sites where you go through multiple clicks.
• Dual mode browser. companies known to ship IE6 with their activex.
• Moving off activex would take them 3 years.
• Facebook and twitter blocked, and they have their own pages.
• English unlikely to be understood. So partially translated pages are useless (ex: addons.mozilla.org has addon names in English)
• Pepper API vs NPAPI.
  • Why not switch to something that is more sandbox friendly? Strong opposition to implementing Pepper from plugins folks.
• Plugins will play a key role in mobile online banking with B2G in China
• 360 Browser is the top browser in China, IE, and Firefox.
  • http://se.360.cn/
• Windows XP is still the most used OS in China
• Keyboard keys sometimes have additional symbols. http://en.wikipedia.org/wiki/File:Keyboard_layout_Cangjie.png http://en.wikipedia.org/wiki/Simplified_Cangjie http://en.wikipedia.org/wiki/Pinyin_method http://en.wikipedia.org/wiki/Bopomofo
• bandwidth and mobile data are comparatively expensive