Standing Agenda

• Q3 Goals Recap ( https://wiki.mozilla.org/SecurityEngineering/2013/Q3Goals#Q3_Goals )
• Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
• Suggest additions or changes to roadmaps
• Detailed discussion of features or outstanding issues as time permits
• Additional Items
• Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/08-01-13

Agenda 08-08-13

• Q3 Goals Recap
• Upcoming PTO/Travel (if you're traveling or OOO, let us know!)
• 3rd party cookie exception for persona - https://github.com/mozilla/browserid/issues/3520
  • Status? This didn't work for me (Sid) for mozilla.com address yesterday
  • Works if you put login.mozilla.org in your exceptions list.
• Stop paying Mohammed Lunch
• Possible Network/Seceng workweek in September 23.
  • No concrete plan yet, but keep your schedule open for a couple of days if you'd like to attend.
  • yeah, the last week of the quarter, maybe suboptimal.
• Roadmap Revamp effort - watch for mail from Sid soon - we're revamping and updating to share with others outside our team and core interactions.
• Tor buzz - check it out (@brendaneich, see dev-privacy thread)
• Cookie Clearinghouse update - moving slow, still there.
• Mixed Content Bugs - Volunteers?
• Black Hat/DEFCON
  • malware targeting Firefox 17 happened during this, woo.
  • Two talks about server-side TLS vulns
  • Cryptopocalypse?
    • Researcher is good at working on discrete log problem making it solvable in 3-5 years. They suggested moving away from DH and towards EC. TLS1.2 is really important.
  • CSP talk at defcon -- dude at etsy is working on implementing it, developed some tools for helping with development. People apparently like CSP.
  • Talk about bulding a botnet with browsers.
  • Garrett will write up the notes and put them on the wiki.
  • Was a worthwhile trip.
• e10s work week summary
  • e10s is critical for game performance (perhaps one main motivation for the project)
  • good chance e10s will ship this time, especially if we get org-wide buy-in.
  • Seceng should focus on making sure the sandboxing is ready to go with e10s enablement
  • Seceng should be proactive about some of the major changes: plugin/extension compatibility has to be done in a sandboxing friendly way, for example.
  • a11y folks are excited about e10s, but are worried it'll get stopped again (it was a lot of "wasted" effort last time).
  • we'd like an option to disable the sandbox available for things like a11y work and for add-ons.
  • https://wiki.mozilla.org/Electrolysis/HowTo

Q3 Goals

• [ON TRACK] Finish first phase of Sandboxing
  • Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
  • DRI: Sid
  • Tasks:
    • Consult : E10S contributions to make it reasonably usable in nightly. (without extensions/plugins)
    • Implement : [NEW] Fix window.crypto to work in E10S
    • Implement : [NEW] Fix CSP tests to work in E10S
    • Implement : [NEW] land seccomp for Linux (min bar for sandboxing)
    • Research : [NEW] Prioritize secomp tightening steps, begin executing it
    • Research : [NEW] Create story/plan for addon compatibility
• [ON TRACK] Cookie Clearinghouse
  • Outcome: Identify feasibility and nail down spec
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] spec out and make go/nogo decision on implementation
    • Consult : [NEW] drive Stanford effort to stable spec
• [AT RISK] Implement alternative revocation checking mechanisms
  • Outcome: must-staple + pinning + insanity on by default in nightly
  • DRI: Camilo
  • Tasks:
    • Implement : [AT RISK] Enable insanity::pkix validation by default on nightly
    • Implement : [NEW] Land key pinning
    • Implement : [NEW] Land must-staple support
• [ON TRACK] SafeBrowsing 2.0
  • Outcome: App reputation whitelist on by default in nightly
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] Land app reputation system with whitelist support