SecurityEngineering/MeetingNotes/2013-06-30
Agenda and Notes 2014-06-30
CHAIR: Sid
- Q2 Goals recap + status updates
- tuesday engineering meeting (grobinson)
- topic: new CSP backend active on nightly
- bug 1029781: enabled safebrowsing classification for image loads, may increase phishing/malware coverage and could have performance implications, watch http://people.mozilla.org/~mchew/safebrowsing_dashboard/ to see
- Please update the wiki directly as well - https://wiki.mozilla.org/Platform/2014-07-01
- Read Only? If not, who is going? GARRETT
- Q3 Goals (finish brainstorm & prune above)
- Remember: Implement, Consult, Research, Evangelize [1]
Goal Brainstorming
Core/DOM
revamp gecko security hooks continued - next steps? What are they? T** Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up C *** Get New Channel API landed (we should be able to do that, perhaps without moving content policy check) T*** Figure out the addon compatibility story
- Bonus - start architecting and implementing new observer service
csp SC** get rid of old implementation entirely GC** CSP 1.1 compliance (finish things needed to line up with draft)
- Subresource Integrity (SRI)? implement or plan out implementation? evaluate?
- once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies)
Referrer control S ** <meta> referrer control
- CSP referrer directive
- <a rel=noreferrer
- Make progress on referrer= attribute for other DOM elements
Communications Security
C* hpkp - implement pinning http header GD* finish ssl error reporting project R* WebCrypto - next steps? What are they? K* 2048 bit (rsa) keys required for built-in root anchored certs (policy work) RC* Enforcing more Baseline Requirements in code
- mozilla::pkix Next Steps -- Documentation, pkix::next bugs. Figure out NSS plan
K* [stretch goal] Get CA Program data into one database, maybe using salesforce.com RD* Certificate revocation plan -- Need to handle intermediate cert revocations (CRLset-like mechanism -- can use the same mechanism for blocking intermediate certs as needed?)
- Provide tool for checking CA compliance to Mozilla policy and EV-readiness
- Ability to more easily constrain root certificates (name constrain roots)
Tracking Control
GM* Lightbeam/tracking protection in FF (https://bugzilla.mozilla.org/show_bug.cgi?id=1029886) Land a feature in FF33 and FF34 that's off by default to prevent users from connecting to domains that are in a list that we serve
- PR push for 33 around tracking protection
Evangelism
CS * security outreach - Security Open Mic presentation + blog post about new CSP, maybe again as brown bag.
- talk at (web dev) conference? Be more visible?
B* Knock down TOR browser bundle bugs
- Tor dev conf at Mozilla Paris