Standing Agenda

• Q2 Goals Recap ( https://intranet.mozilla.org/2013Q2Goals#Security_Engineering )
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/06-06-13

Q2 Goals

• [MISS] land the application reputation scanning tool bug 662819 (mmc)
• [DONE] Turn Mixed Content Blocking on in Aurora (tanvi)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=843977
  • https://bugzilla.mozilla.org/show_bug.cgi?id=844556
  • https://bugzilla.mozilla.org/show_bug.cgi?id=843977
  • Telemetry : https://bugzilla.mozilla.org/show_bug.cgi?id=781018
• [MISS] land classic cert validation replacement, off by default (bsmith) builds on all platforms, same revovation as classic, pending tests for edge case certtificates (certificate usages & chain building).
  • https://bugzilla.mozilla.org/show_bug.cgi?id=878932
• [DONE] land OCSP stapling support and tests (keeler)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=700693

• [DONE] Revamp the MDN documentation of CSP and Mixed Content Blocker (imelven + tanvi)
• [DROP] Develop & socialize plan (document containing steps, timeline, implementation & test plan) for getting sandboxing onto a desktop Firefox, probably Linux (imelven)
  • https://wiki.mozilla.org/Electrolysis/Roadmap
  • https://bugzilla.mozilla.org/show_bug.cgi?id=790923
• [MISS] Deploy pilot cookie study and publish results. (ddahl)

Agenda

• Q2 Goals recap
• Q3 goals
• CSP and B2G apps/mochitests (grobinson)

Q3 Goals

• Finish first phase of Sandboxing
  • Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
  • DRI: Sid

@ E10S contributions to make it reasonably usable in nightly. (no extensions/plugins) @@ Fix window.crypto to work in E10S @ land seccomp for Linux (min bar for sandboxing) @ Prioritize secomp tightening steps, begin executing it

• Cookie Clearinghouse
  • Outcome: Identify feasibility and nail down spec
  • DRI: Monica

@ spec out and implement general purpose list updating mechanism @ drive Stanford effort to stable spec

• Implement alternative revocation checking mechanisms
  • Outcome: must-staple + pinning + insanity on by default in nightly
  • DRI: Camilo

@ Enable insanity::pkix validation by default on nightly @ Land key pinning @ Land must-staple support

• SafeBrowsing 2.0
  • Outcome: App reputation whitelist on by default in nightly
  • DRI: Monica

@ Land app reputation system with whitelist support @ Switch SafeBrowsing to use HTTPS Internal team goals (not interesting to the rest of the project):

• Feature maintenance
  • Outcome: Priority list and fix all P1 follow-ups for CSP and MCB.
  • DRI: Tanvi

@ Fix N CSP bugs @ Fix M MCB bugs We will continue internal goal setting for another week.