SecurityEngineering/MeetingNotes/2013-10-24

Agenda 24-Oct-2013

• Security Assurance
• Q4 Goals recap
• Monica's Cookie Recipe: http://monica-at-mozilla.blogspot.com/2013/10/cookie-counting.html
• Ideas from "We're all remoties" talk:
  • Take turns running meeting
  • Start within 5 minutes of starting time ("out of respect for those who are on time") (we're actually pretty good at this already, I think)
  • Everyone on individual cameras (not room cameras)
  • On 1-on-1s: http://www.dria.org/wordpress/archives/2010/02/25/1443/
  • Workweeks: locals stay in the same hotel as remoties (apparently this is against the policy, but talk to John O'Duinn)
• OCSP stapling backout
  • If they've stapled an old response, we might want to switch to OCSP hard-fail
  • http://tools.ietf.org/html/rfc5019#section-2.2.4

Q4 Goals:

• Sandboxing
  • Outcome: Next set of steps towards a exploit-containing platform.
  • DRI: sid (+keeler +christoph)
  • Tasks:
    • [NEW] Implement: Chromium-sandbox: make it possible to compile and activate on mozilla-central - (keeler + bbondy)
    • [NEW] Implement: b2g/e10s security feature tests: Get CSP tests passing in e10s with help from overholt on platform team (garrett + sid + mwobensmith)
• Roadmaps
  • Outcome: More visibility and aim for our team's projects.
  • DRI: monica (+sid +garrett +cviecco +briansmith)
  • Tasks:
    • [NEW] Consult: security roadmap update (sid + briansmith + product teams)
    • [NEW] Consult: privacy roadmap update (monica + sid + product teams)
    • [NEW] Consult: anonymity (tor) roadmap update (sid + mikeperry)
• NetSec
  • Outcome: Massive improvement in channel security for SSL sites that want protection from decryption.
  • DRI: briansmith (+cviecco)
  • Tasks:
    • [NEW] Land Insanity::PKIX - bug 878932 (briansmith + cviecco)
    • [NEW] Implement: TLS 1.2 enabled on nightly requires server intolerance + telemetry (cviecco + briansmith)
• Mixed Content wrap up
  • Outcome: Mixed script is blocked widely on the web in a stable way (and has no more urgent follow-ups.)
  • DRI: christoph (+tanvi)
  • Tasks:
    • [ON TRACK] Implement: redirect bug - bug 418354 (started to work on that)
    • [ON TRACK] Implement: don't show mixed content on http pages - bug 909920 (may require content policy api changes) (landed)
    • [ON TRACK] Implement: missing notification - bug 915951 (in progress)
    • [ON TRACK] Implement: persistency for child tabs - bug 906190 (rewrote tests - under review tonight)
• CSP
  • Outcome: Wider adoption of CSP when Firefox supports these features (and beginning of CSP v1.1)
  • DRI: garrett (+sid)
  • Tasks:
    • [ON TRACK] Implement: script nonce landed behind a pref. bug 855326 (garrett + sid)
    • [ON TRACK] Implement: script hash landed behind a pref. bug 883975 (garrett + sid)
    • [DONE] Evaluate: profile CSP on desktop and B2G to develop a plan to optimize CSP by rewriting in C++ or otherwise (https://bugzilla.mozilla.org/show_bug.cgi?id=924337#c26) [garrett + christoph] (FAST PATH PROOF: bug 927493)