SecurityEngineering/MeetingNotes/07-12-12

From MozillaWiki
Jump to: navigation, search

Agenda:

MozCamp EU

  • https://wiki.mozilla.org/MozCampEU2012
  • Warsaw Poland
  • September 8th-9th
  • Shooting for security track before or after the mozcamp (not in parallel)
    • Still unclear what exactly this will look like
    • Like a security/privacy add-on hackathon or mobile or similar kind of format
  • If you are thinking about doing a talk, be ready to submit when the request shows up

Q2 Goals Recap

  • Deliver B2G security model design
    • Pretty solidly defined.
  • Scope & feasibility of low-right Firefox (sandboxing)
    • Seems doable -- feasible!
  • Finalize plugin click-to-play and blocklisting design
    • Implemented! Woo!
  • Update DNT implementation to conform to proposed W3C spec
    • To the degree the spec is stable, there is an implementation for things the whole WG agrees upon.

Q3 Goals

Some ideas:

  • Implement permissions model for b2g
  • Achieve consensus on game plan or design or ship criteria for sandboxing project (ie what to do about addons)
  • Something around click to play
  • Something around mixed content ? (need input from Tanvi)
  • Ship CSP compliant with 1.0 (also helps B2G)
  • Lead security/privacy community event or workshop

Spot-check progress on projects

  • process sandboxing - making progress, need to meet with addons/engineering folks to help finalize our plan
  • r+ on window.crypto.getRandomValues !!!!
  • iframe sandbox - still going
  • b2g security model - switching to packaged apps, zip file with manifest
  • click to play - landed in INBOUND
    • UX still ongoing, this is the last piece of being able to block plugins with click to play

Gary: PFS improvements mention

Insecure Password Field Research

  • There's a chrome add-on for it (Tanvi learned about it @ SOUPS)
  • She's working with them to learn more and picked up some new ideas

Meeting scheduling

  • Move meeting to Tuesday? Think on it.