canmove, Confirmed users
1,537
edits
SecurityEngineering/MeetingNotes/2013-06-30: Difference between revisions
SecurityEngineering/MeetingNotes/2013-06-30 (view source)
Revision as of 19:33, 30 June 2014
, 30 June 2014→Goal Brainstorming
(Created page with "Agenda and Notes 2014-06-30 CHAIR: Sid * Q2 Goals recap + status updates * tuesday engineering meeting (grobinson) ** topic: new CSP backend active on nightly ** {{bug|1029...") |
|||
| Line 15: | Line 15: | ||
= Goal Brainstorming = | = Goal Brainstorming = | ||
== Core/DOM == | == Core/DOM == | ||
revamp gecko security hooks continued - next steps? | revamp gecko security hooks continued - next steps? What are they?<br | ||
T** Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up | />T** Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up<br | ||
C *** Get New Channel API landed (we should be able to do that, perhaps without moving content policy check) | />C *** Get New Channel API landed (we should be able to do that, perhaps without moving content policy check)<br | ||
T*** Figure out the addon compatibility story | />T*** Figure out the addon compatibility story<br | ||
** Bonus - start architecting and implementing new observer service | /><s>** Bonus - start architecting and implementing new observer service</s><br | ||
csp | />csp<br | ||
SC** get rid of old implementation entirely | />SC** get rid of old implementation entirely<br | ||
GC** CSP 1.1 compliance (finish things needed to line up with draft) | />GC** CSP 1.1 compliance (finish things needed to line up with draft)<br | ||
* Subresource Integrity (SRI)? implement or plan out implementation? | /><s>* Subresource Integrity (SRI)? implement or plan out implementation? evaluate?</s><br | ||
** once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies) | /><s>** once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies)</s><br | ||
Referrer control | />Referrer control<br | ||
S ** | />S ** <meta> referrer control<br | ||
** CSP referrer directive | />*<s>* CSP referrer directive</s><br | ||
** | /><s>** <a rel=noreferrer</s><br | ||
** Make progress on referrer= attribute for other DOM elements | /><s>** Make progress on referrer= attribute for other DOM elements</s><br | ||
/><br/> | |||
== Communications Security == | == Communications Security == | ||
C* hpkp - implement pinning http header | <br/>C* hpkp - implement pinning http header<br | ||
GD* finish ssl error reporting project | />GD* finish ssl error reporting project<br | ||
R* WebCrypto - next steps? What are they? | />R* WebCrypto - next steps? What are they?<br | ||
K* 2048 bit (rsa) keys required for built-in root anchored certs (policy work) | /><s>K* 2048 bit (rsa) keys required for built-in root anchored certs (policy work)</s><br | ||
RC* Enforcing more Baseline Requirements in code | />RC* Enforcing more Baseline Requirements in code<br | ||
* mozilla::pkix Next Steps -- Documentation, pkix::next bugs. Figure out NSS plan | /><s>* mozilla::pkix Next Steps -- Documentation, pkix::next bugs. Figure out NSS plan</s><br | ||
K* [stretch goal] Get CA Program data into one database, maybe using salesforce.com | />K* [stretch goal] Get CA Program data into one database, maybe using salesforce.com<br | ||
RD* Certificate revocation plan -- Need to handle intermediate cert | />RD* Certificate revocation plan -- Need to handle intermediate cert revocations (CRLset-like mechanism -- can use the same mechanism for blocking intermediate certs as needed?)<br | ||
* Provide tool for checking CA compliance to Mozilla policy and EV-readiness | /><s>* Provide tool for checking CA compliance to Mozilla policy and EV-readiness</s><br | ||
* Ability to more easily constrain root certificates (name constrain roots) | /><s>* Ability to more easily constrain root certificates (name constrain roots)</s><br | ||
/><br | |||
/> | |||
== Tracking Control == | == Tracking Control == | ||
GM* Lightbeam/tracking protection in FF (https://bugzilla.mozilla.org/show_bug.cgi?id=1029886) Land a feature in FF33 and FF34 that's off by default to prevent users from connecting to domains that are in a list that we serve | <br | ||
** PR push for 33 around tracking protection | />GM* Lightbeam/tracking protection in FF (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1029886)">https://bugzilla.mozilla.org/show_bug.cgi?id=1029886)</a> Land a feature in FF33 and FF34 that's off by default to prevent users from connecting to domains that are in a list that we serve<br | ||
/><s>** PR push for 33 around tracking protection</s><br | |||
/><br | |||
/> | |||
== Evangelism == | == Evangelism == | ||
CS * security outreach | <br | ||
* talk at (web dev) conference? | />CS * security outreach - Security Open Mic presentation + blog post about new CSP, maybe again as brown bag. <br | ||
B* Knock down TOR browser bundle bugs | /><s>* talk at (web dev) conference? Be more visible?</s><br | ||
** Tor dev conf at Mozilla Paris | /><s>B* Knock down TOR browser bundle bugs</s><br | ||
/><s>** Tor dev conf at Mozilla Paris</s> | |||