SecurityEngineering/MeetingNotes/09-12-13

Agenda 12-Sep-2013

• Q3 Goal Recap
• Why not land TLS 1.2 support disabled to central (yes there are compat issues) bug

 (http://mxr.mozilla.org/mozilla-central/ident?i=PSM_DEFAULT_MAX_TLS_VERSION&filter= ) currently is 1 (tls 1.0), up to 3 (tls 1.2) + create GCM ciphersuite prefs.

• Summit sessions -

https://docs.google.com/a/mozilla.com/forms/d/1lj_XRlLdhesi-zJOY0AWcppAqSVJvvBvGQplvaDf-MU/viewform

• PM discussion

Tanvi's point about politically contentous stuff being a timesink

   **Are there other ways we can maximize productivity and minimize PR-ish and project management type things?
   **work with release management  to make sure changes we make are acceptable in the trains
   **work with QA to make sure they come up with a good test plan for features
   **help with incoming bug triage on features we own (Core Security queue, CSP, PSM, Mixed Content, etc)
   **privacy issues that come up from time to time (media, meetings that need our input)
   **sandboxing?
   **platform eng weekly meetings
   ***Figure out a way for us to do more technical work and less people oriented tasks. 
   ***Do we need a project manager? 

• Org changes
• Initial Q4 goal brainstorm
  • Sandboxing
    • Import chromium-sandbox
    • GPU remoting plan/work starting
    • Multiprocess observer service
    • Goal around summit-obtained unity around the project
  • NetSec
    • Certificate pinning (list- and header-based)
    • Cert error reporting
    • Something around CT?
    • Conduct summit session on "securing yer server with SSL"?
    • Ship tls 1.2
  • Privacy
    • Referrer controls (meta referrer etc)
    • Something around tor cooperation
  • Finish Chris's dissertation

For next week:

• What's our plan for setting goals? How do we make it work better? Debrief on last quarter's goal setting and effect and how we can do better.
• Genetics
• Review queue - Sid updated "sec waiting for reviews" last week so that it shoudl include all of us (saved query on Bugzilla, not this one linked below).

https://bugzilla.mozilla.org/buglist.cgi?f1=flagtypes.name&o1=equals&resolution=---&query_format=advanced&v1=review%3F&emailtype1=regexp&emailassigned_to1=1&email1=briansmith%7Cmeshekah%7Calagenchev%7Cddahl%7Cdkeeler%7Csstamm%7Cgrobinson%7Ckwilson%7Cmmc%7Ctvyas%7Ccviecco%7Ckerschbaumer&list_id=7639373

Q3 Goals

• [ON TRACK] Finish first phase of Sandboxing
  • Outcome: seccomp in e10s/Larch or on nightly + clear roadmap
  • DRI: Sid
    • Consult : E10S contributions to make it reasonably usable in nightly. (without extensions/plugins) assign: ALL as appropriate
    • Implement : [NEW] Fix window.crypto to work in E10S}
    • Implement : [DROPPED] Fix CSP tests to work in E10S garrett + sid - prepped, but for Q4
    • Implement : [AT RISK] land seccomp for Linux (min bar for sandboxing) keeler - part of an old patch for bug 790923
    • Research : [AT RISK] Prioritize secomp tightening steps, begin executing it sid
    • Research : [ON TRACK] Create story/plan for addon compatibility monica
• [ON TRACK] Cookie Clearinghouse
  • Outcome: Identify feasibility and nail down spec: https://github.com/CookieClearinghouse/protocol/wiki/Proposed-List-Formats
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] spec out and make go/nogo decision on implementation
    • Consult : [NEW] drive Stanford effort to stable spec
• [AT RISK] Implement alternative revocation checking mechanisms
  • Outcome: must-staple + pinning + insanity on by default in nightly
  • DRI: Camilo
  • Tasks:
    • Implement : [AT RISK] Enable insanity::pkix validation by default on nightly - landing some next week (9/16)
    • Implement : [DROPPED] Land key pinning
    • Implement : [AT RISK] Land must-staple support
• [ON TRACK] SafeBrowsing 2.0
  • Outcome: App reputation whitelist on by default in nightly
  • DRI: Monica
  • Tasks:
    • Implement : [NEW] Land app reputation system with whitelist support