SecurityEngineering/MeetingNotes/02-07-13: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 25: Line 25:
* https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent
* https://bugzilla.mozilla.org/show_bug.cgi?id=836431 - distinguish between mixed active vs mixed display loads in Webconsole - https://developer.mozilla.org/en-US/docs/Security/MixedContent
* https://bugzilla.mozilla.org/show_bug.cgi?id=418354, and https://bugzilla.mozilla.org/show_bug.cgi?id=456957  - Block https->http redirects.
* https://bugzilla.mozilla.org/show_bug.cgi?id=418354, and https://bugzilla.mozilla.org/show_bug.cgi?id=456957  - Block https->http redirects.
== The Rest: ==
== The Rest ==
* https://bugzilla.mozilla.org/show_bug.cgi?id=838403 - Missing call for setting flag for mixed display blocked - needs a test.
* https://bugzilla.mozilla.org/show_bug.cgi?id=838403 - Missing call for setting flag for mixed display blocked - needs a test.
* https://bugzilla.mozilla.org/show_bug.cgi?id=836811 - needs a test, but has already landed in central
* https://bugzilla.mozilla.org/show_bug.cgi?id=836811 - needs a test, but has already landed in central
Line 32: Line 32:
* https://bugzilla.mozilla.org/show_bug.cgi?id=800098 - HSTS will be blocked before it's enforced.
* https://bugzilla.mozilla.org/show_bug.cgi?id=800098 - HSTS will be blocked before it's enforced.
** Inconsistency between first time visitor and second time visitors to an hsts embedded page.
** Inconsistency between first time visitor and second time visitors to an hsts embedded page.
** https://blog.mozilla.org/ embeds http://blog.mozilla.org/files/2013/01/most-trusted-privacy-2012-252x218.jpg that redirects to the https version.
** https://blog.mozilla.org/ embeds <pre>http://blog.mozilla.org/files/2013/01/most-trusted-privacy-2012-252x218.jpg</pre> that redirects to the https version.
** What should the correct behavior be?
** What should the correct behavior be?
* https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - users have a choice to disable mixed content on iframes.  What should the correct behavior be?
* https://bugzilla.mozilla.org/show_bug.cgi?id=826599 - users have a choice to disable mixed content on iframes.  What should the correct behavior be?
Line 40: Line 40:
** Strike through https - https://bugzilla.mozilla.org/show_bug.cgi?id=834830
** Strike through https - https://bugzilla.mozilla.org/show_bug.cgi?id=834830
** UI Redesign Tweaks - https://bugzilla.mozilla.org/show_bug.cgi?id=827595
** UI Redesign Tweaks - https://bugzilla.mozilla.org/show_bug.cgi?id=827595
= Research! =
= Research! =
* password stats - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AnujPp0bAzAvdDhVTnZuSTROamcwSGh0aGRZSDJNdmc#gid=6
* password stats - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AnujPp0bAzAvdDhVTnZuSTROamcwSGh0aGRZSDJNdmc#gid=6

Revision as of 01:50, 8 February 2013

Agenda

  • Goals
  • CA/B Forum recap
  • Mixed Content
  • third party cookies discussion

Goals Recap

CA/B Forum recap

  • gTLD discussion -- what about internal hosts and publicly trusted PKI
  • we discussed things that are only important to CA/SSL -types.

Mixed Content

Needed to Turn the Pref on in Hopefully FF 21 by Feb 18th

Before Beta

The Rest

Research!

Internship/Mentorship project brainstorming

e.g., dev tools, mini projects, add-ons, etc

  • see https://wiki.mozilla.org/Security/Mentorship
  • HSTS crawler for preload list
  • Wordpress CSP plugin (update it for CSP 1.0)
  • Developer tools for securing a site:
  • Fast profile switching prototype (add-on or something) to study how people interact with it
  • HTTPS by default for address bar
  • Auto-fix SSL errors (e.g. detect system time set wrongly, foo.com -> https://www.foo.com redirects automatically
  • Certificate error reporting (send cert chain) to Mozilla (we want this for CA pinning) (telemetry: See bug 707275) but also a "report this to Mozilla" link
  • Cookie Tagging (mgoodwin is working on this... mebbe help)
  • CSP 1.1 experimental features
    • Paths
    • CSP Sandbox
  • Firefox OS cert manager
  • Web App CSP generator
  • Android Firefox client certs
  • Android Firefox cert viewer (or larry for android)
  • Firefox OS Cross-app auth manager
  • remove the auth mechanism that tries to login you in if you type @ in url (userPass in nsIURI)
  • RFC 1918 address space isolation (bug 354493)