SecurityEngineering/MeetingNotes/07-12-12
From MozillaWiki
Agenda:
Contents
MozCamp EU
- https://wiki.mozilla.org/MozCampEU2012
- Warsaw Poland
- September 8th-9th
- Shooting for security track before or after the mozcamp (not in parallel)
- Still unclear what exactly this will look like
- Like a security/privacy add-on hackathon or mobile or similar kind of format
- If you are thinking about doing a talk, be ready to submit when the request shows up
Q2 Goals Recap
- Deliver B2G security model design
- Pretty solidly defined.
- Scope & feasibility of low-right Firefox (sandboxing)
- Seems doable -- feasible!
- Finalize plugin click-to-play and blocklisting design
- Implemented! Woo!
- Update DNT implementation to conform to proposed W3C spec
- To the degree the spec is stable, there is an implementation for things the whole WG agrees upon.
Q3 Goals
Some ideas:
- Implement permissions model for b2g
- Achieve consensus on game plan or design or ship criteria for sandboxing project (ie what to do about addons)
- Something around click to play
- Something around mixed content ? (need input from Tanvi)
- Ship CSP compliant with 1.0 (also helps B2G)
- Lead security/privacy community event or workshop
Spot-check progress on projects
- process sandboxing - making progress, need to meet with addons/engineering folks to help finalize our plan
- r+ on window.crypto.getRandomValues !!!!
- iframe sandbox - still going
- b2g security model - switching to packaged apps, zip file with manifest
- using app:// scheme
- tracking bug: https://bugzilla.mozilla.org/show_bug.cgi?id=764189
- need help on cookie/data jars if possible - co-ordinate with sicking
- click to play - landed in INBOUND
- UX still ongoing, this is the last piece of being able to block plugins with click to play
Gary: PFS improvements mention
- https://etherpad.mozilla.org/LaSxfyisoK
- improve PFS to take user's location into account
- PFS seems to need an owner
- see Gary's brownbag for more info on the situation in China wrt plugins
Insecure Password Field Research
- There's a chrome add-on for it (Tanvi learned about it @ SOUPS)
- She's working with them to learn more and picked up some new ideas
Meeting scheduling
- Move meeting to Tuesday? Think on it.