Security/Meetings/2011-09-07
From MozillaWiki
Contents
Twitter account
- We now have a shared Twitter account: @mozsec
Blog post roundup
- CA compromise
- http://blog.gerv.net/2011/08/diginotar_compromise_webmaster_notificat/
- http://www.daemonology.net/blog/2011-09-01-Iran-forged-the-wrong-SSL-certificate.html
- http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
- http://blog.gerv.net/2011/09/diginotar-compromise/
- http://blog.gerv.net/2011/09/diginotar-compromise-postscript/
- http://www.globalsign.com/company/press/090611-security-response.html
CA mess
DigiNotar compromise
- Hacked in june
- Noticed bad certs happened on July 19
- Noticed more bad certs on July 20, 27
- Many bad certs were also issued on the 10th that were not found
- We rolled out a fix to make DigiNotar's cert blocked, not just missing.
Preventing future CA issues
- Require existing CAs to go through audits; remove their ability to issue new certs
- Add a capability for "lightweight CA-revocation-and-blocking updates" so we don't need a new Firefox release for each CA compromise
- Can this be based on CRL or OCSP?
- CRL updating is currently broken (bug 682244)
- Needs to support blocking, not just revocation (for cross-signed certs)
- What if a network attacker blocks the updater connection?
- Can this be based on CRL or OCSP?
- A way to detect rogue certs. Can we do more than Chrome-style pinning (which even the Chrome team doesn't recommend) and still preserve privacy?
- More like informative pinning, invisible to the user, so we can notice when certificates for popular sites change. Of course this has privacy problems but maybe there is a way to solve these issues. Chrome-style pinning with notification to the user might be too error prone.
- or just user-facing detection with feedback-style user submissions: https://wiki.mozilla.org/Security/Features/Strange_SSL_Cert_Change_Alert
- Further discussion on this topic at the all hands
- More like informative pinning, invisible to the user, so we can notice when certificates for popular sites change. Of course this has privacy problems but maybe there is a way to solve these issues. Chrome-style pinning with notification to the user might be too error prone.
- http://convergence.io/details.html
List of CA intermediate certificates
- It would help us to know about cross-signing relationships (between certs that are both in our root program)
- so if we have to remove trust, we can actually do it.
- Sub-CAs / intermediates / resellers
Mobile Notes (imelven)
- Downloadable locales landing soon, supposed to be same as addon download/install, imelven is keeping an eye on this, will likely need at least a brief implementation review
- mfinkle reached out to folks to try to get them to publicize more that Firefox on Android has the diginotar cert fixes, while stock Android users have to wait for an OTA from the carrier to update their root cert store (iPhone has the same problem) - retweeted @johnath's tweet on this from @MozSec
- imelven will look into the update situation on Android and how Firefox updates are verified etc.
Mixed content
- bsterne is working on a patch that will block mixed scripting and allow mixed display
- Based on nsIContentPolicy
- Unclear: fonts, video/audio, XHR, file download / helper apps
- Mixed display will probably continue to result in broken-https UI
- Mixed scripting will probably have an infobar to allow
- Trying to coordinate with Chrome, making it more likely for the change to stick
- Based on nsIContentPolicy
Mixed display warnings
- Jesse thinks we should nix the "mixed display removes SSL status" feature
- It's visual noise, muddying our message that you can look in the location bar to know where you are.
- It's less security-relevant than STS (due to how cookie-setting works) (bug 685405)
- It's not especially actionable, and not quite what you want to know: whether you will encounter mixed display, or whether there is any mixed display on the site.
- Years of all browsers warning about mixed display hasn't convinced Gmail, Google Reader, or Twitter to proxy all third-party images.
- A network attacker could redirect your other tabs to the insecure version of Gmail
Prioritization of non-features (curtis)
- Not just security
- There will be a discussion session at next week's All Hands
- But we don't know when/where until the full All Hands schedule is posted
- Curtis, Lucas, bsterne, and Jesse are inviting important people to the session (engineering managers, firefox product managers, quality-aspect leads) and discussing with them in small groups.
- Please update wiki with status
- what are the pain points that others see? Or do they see pain points
DNSSEC-TLS Presentation (keelerd)
- 4 intern brown bags scheduled for 1pm today - I'm last on the list, so maybe I won't conflict with the SecReview?