SecurityEngineering/MeetingNotes/07-26-12

From MozillaWiki
Jump to: navigation, search

Q3 Goals Recap

  • Implement security model for basecamp
  • Achieve go / no-go for Firefox sandboxing
  • Land "final" Click to Play experience (address correctness and UX)
  • Ship CSP compliant with W3C 1.0 spec (also helps B2G)
  • Lead security/privacy dev community event or workshop

Standing Agenda

  • Review currently active (P1) features against their established milestones, identify any blockers - Security/Roadmap + Privacy/Roadmap
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/07-19-12

Updates / roadmappy stuff

Process Sandboxing

  • Digging into java out of process bugs - this was turned off in 2010 due to problems with the hang detector
  • Hacking on PoC with Marshall for sandboxed Firefox.exe
  • Discussing plans and ideas around add-ons and how we might approach the issues with sandboxing them - trying to build consensus and come up with a solid plan via iterating over this

Application Reputation

  • Still waiting on API docs from google

B2G App Security/Privacy Model

  • Push APIS. May need a privacy review (just had a sec review)

Iframe Sandbox

  • Seems to be working on try and such
  • Ian is looking for second reviewer and working through a couple of tricky test cases dveditz brought up in the secreview discussion

CA Pinning

  • Design change on how to disable pinning. 3 Levels of Enforcement. Always do pinning.
    • Level 0 - if fails, just put something in internal structs (future ux?) . Monitor mode
    • Level 1 - allow failed pins if the chain goes through a non-built in root. i.e. Enterprises that have their own custom CAs. Built in over-ride. You will allow mitm if you choose your own CA's.
    • Level 2 - Always enforce. Cannot connect to the site if their is a pin mismatch.
  • Ship with default Level 1. It's a pref in about:config.

Mixed Content Blocker

  • Proposed a UI
  • Working with Larissa for UX team; she might do a case study on Mixed Content. Will know more about this next week.
  • Plan to use this as a case study in the mozcamp session.
  • Bug filed about automatically trying the https version of the url to see if it works instead of allowing the mixed content. - https://bugzilla.mozilla.org/show_bug.cgi?id=776278. What about the performance issues? Even if we just did it for mixed script content.

HSTS Preload List

  • Waiting on review from bsmith

Highlight Cleartext Passwords

  • New Mexico Tech prof and student might do another research study (waiting for funding). Will know more about this once they have funding.
  • New Mexico Tech student sent a version with some tweaks. I have to figure out how to package it.

Opt-in Activation of Plugins / Click to Play

  • Identified some critical problems. Working on fixing those.

SSL Google Search

  • This shipped, so we can take this off the roadmap :)

DOMCrypt Internal API

Other

  • gsoc - may be some csp bugs (example: report-uri is missing in refinePolicy.)
  • mozcamp proposals
  • sec assurance work week; devtools hackathon
  • Feature pages and completed: OMG LOOK: Security/Roadmap#Completed_Features
Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/MeetingNotes/07-26-12&oldid=457218"