SecurityEngineering/MeetingNotes/2013-10-10

Agenda 10-Oct-2013

• Summit recaps
• Q4 Goals: Finalize below in https://wiki.mozilla.org/SecurityEngineering/2013/Q4Goals
  • Sandbox
    • Chromium-sandbox: make it possible to compile and activate c-s on mozilla-central (win) - [brian + keeler]
    • gpu-remoting plan [christoph + bsmith + sid] (push to 2014Q1)
    • Get security feature tests (CSP, HSTS, window.crypto) passing in e10s (with platform team - on b2g) [garrett + sid + mwobensmith] (nail down next week - grobinson will investigate)
      • CSP Test Failures are due to the http-on-* observer topics being intentionally disabled in multiprocess (https://bugzilla.mozilla.org/show_bug.cgi?id=806753, https://bugzilla.mozilla.org/show_bug.cgi?id=827269). To fix
  • Roadmap & user data storage plan
    • security, privacy, anonymity (tor) roadmaps update and brown-bag scheduled [monica + sid]
    • multi-stakeholder plan for unified storage/prefs so that our tracking story is not full of holes? [monica + garrett + cviecco]
  • NetSec
    • TLS 1.2 enabled on nightly - server intolerance + telemetry [cviecco+brian]
  • Mixed Content [tanvi + christoph]
    • redirect bug - bug 418354
    • don't show mixed content on http pages - bug 909920 (may require content policy api changes) - christoph
    • missing notification - bug 915951 {one try failure remaining} - tanvi
    • target = _parent - bug 906219
    • persistency for child tabs - bug 906190 - christoph
  • CSP
    • script nonce and hash (behind a pref) [garrett + sid]
    • Profile CSP on desktop and B2G to determine if rewriting in C++ is worthwhile/develop a plan to optimize CSP (https://bugzilla.mozilla.org/show_bug.cgi?id=924337#c26) [garrett + chris]
• Summit: Santa Clara
  • Tanvi: Very good to get people motivated, it was very contributor focused and little technical talks.
• Summit Toronto:
  • Monica: Session with Alex and Ivan, lots of ideas from the session (first one), second session not as good (lower energy). Good brainstormig as a group, some themes came up: complaints about usability of security UX, validation of the things we working on (TLS ciphersuite, work on pinning, general protection against MITM/NSA), Conercns about data in the cloud (more and different data), Interst in Sandboxing too. Also multiple identities.

yvan's transcription: https://docs.google.com/spreadsheet/ccc?key=0AhAB3MQRM9JcdDRuWmhkMDU5V0toeUt0MDhNQWMtY2c&usp=sharing

• • cviecco: 10 users, mostly informative.

grobinson: here's bwarner's proposal, with info on the different "data classes" in PiCL: https://blog.mozilla.org/warner/2013/07/23/picl-crypto-review/

• Brussels:
  • Grobinson: about 100 people for the sec/privacy features. Concerns about picL, ssl , questions about mozilla getting requests about law enforcement.