SecurityEngineering/Jan2013WorkWeek/11-Roadmap Blender

Yeah, that's right. We took the roadmaps, threw them in the blender, and turned it up to 11.

Thursday 1/17 at ~2 pm

The point of the session was to share our individual priorities, mix it up, and see what the team's priorities are for the year.

Inputs:

• https://wiki.mozilla.org/Security/Roadmap
• https://wiki.mozilla.org/Privacy/Roadmap/2012
• https://bugzilla.mozilla.org/buglist.cgi?quicksearch=kw%3Asec-want
• https://wiki.mozilla.org/SecurityEngineering/Jan2013WorkWeek/09-Big_Things_Brainstorm
• https://wiki.mozilla.org/SecurityEngineering/Jan2013WorkWeek/07-SSL_NSS_PSM_Planning

Including:

• Rework content policy? (request from Jonas et al) see https://groups.google.com/forum/#!topic/mozilla.dev.platform/veLFoy09ydg/discussion

What else (not from the inputs) are we currently working on?

Categories:

Working Group/Standards Activities

• (ongoing) Web Crypto API WG [ddahl]
• (ongoing) CABForum and CA Policy [bsmith]
• (ongoing) W3C WebAppSec Working Group - conference calls/mailing list [ian, tanvi]
• (ongoing) IETF TLS/PKIX/etc. working groups [bsmith]

Mozilla cross-team meetings

• (ongoing) UX embedding meetings [Tanvi]
• (ongoing) Working with Paul on what to do about passwords in general. [Tanvi, mmc]

Engineering Maintenance

• Dealing with redirects in content policies [???]
• delete some PSM code to make mixed content work [tanvi, bsmith]
• (ongoing) CSP followup work (see dependent bugs, see notes from Monday, evangelism) [ian]
• PSM/NSS radar spreadsheet items (PKIX, centralization) [cviecco]
• finish iframe sandbox (bug 785310) [ian]
• Finalizing B2G FOTA update and App Signing [bsmith]
• Bug fixing in PSM and NSS (e.g. #1 toporange, TLS protocol vulnerability fix, certificate validation of items in the HTTP cache) [bsmith]
• CTP touch-ups, tweaks, etc. [keeler]
• (ongoing) Keep up with HSTS preload list changes [keeler]
• Triage open follow-up bugs (and sec-want, etc)

Community Engagement

• (ongoing) various mentored bugs [ian]
• (ongoing) various conference talks & publicity stunts
• UserCSP (paper, freddy continue mentorship of student) [Tanvi]
• Insecure Passwords mentorship: http://www.cs.helsinki.fi/group/ohtu/k-2013/aihe_secuadvisor.html and maybe writing a paper [Tanvi]
• finish iframe sandbox (mentor contributor bug 766282) [ian]
• Recruiting [sid]

Step 1: Pick 5 things you want to wprk on this year

Sid

1. Recruiting (clone bsmith) XXXXX (5)
2. CSP follow-up bugs XXXXX (5)
3. W3C Do-Not-Track proliferation X (1)
4. Outreach/conference talks & publicity XX (2)

Ian

1. finish iframe sandbox (r=smaug) XX (2)
2. sandboxing (r=various) XXXXXXXXXX X (11)
3. mentored bugs (r=various)
4. CSP evangelism/documentationX (1)
5. CSP follow-up bugs (r=sid)

bsmith

1. B2G remaining work (FOTA and app signing) (r=rtilder, r=bbondy)X (1)
2. High-priority bug fixes for PSM/NSS (r=NSS team)XX (2)
3. TLS performance fixes (False start, etc.) (r=NSS team)X (1)
4. Intermediate certificate whitelist (r=NSS team) XXXXX (5)
5. Certificate transparency or similar (r=NSS team) XXX (3)

ddahl

1. Web Crypto WG - editing high-level spec XXX (3)
2. crypto.getRandomValues FxOS [r=wtc, bsmith] XXX (3)
3. Extensions Crypto API [r=bsmith, wtc] X (1)
4. Web Crypto API for content [r=wtc, bsmith]XXX (3)
5. Web Crypto evangelism X (1)

cviecco

1. PK pinning [r=bsmith] XXXX (4)
2. Cert verification speed improvements [r=bsmith, mayhemer]
3. Privacy/Security non-pref UI revamp (desktop) [r=lco, tanvi, bsmith] X (1)
4. security ui mobile [r=lco, tanvi, bsmith] XX (2)
5. non-windows sandboxing?

Tanvi

1. Insecure passwords and working with Paul on what to do about passwords in general.- XX (2)
2. UserCSP
3. Mixed Content Blocker XXX (3)
4. w3c webappsec
5. UX embedding - should we stop this now or migrate it to another team?

mmc

1. profile switching (r=jdm) XXXX (4)
2. finish application reputation (r=bsmith for necko only, gsharp for download manager)XX (2)
3. cookieSniffer, task data (r=glind, isegall, ddahl) XXX (3)
4. cid user studies: outcome is actionable, implementable features that users want for privacy XXXXX (5)
5. contribute to collusion (r=dethe)XX (2)

keeler

1. Finish CTP [r=jaws, dao, etc.] X (1)
2. Make HSTS preload list generation automagic [r=bsmith, build/automation peeps]
3. explore the "Whenever I visit my bank, open in the bank profile" idea (related to profile switching)X (1)
4. become PSM peer
5. code cleanup XXX (3)

Step 2: Vote for what we do

You have ten X's. Put them next to the things you think we (as a team) should do. Duplicates are removed from potential targets for votes.

Results of 2 Ranked by votes:

1. [dri=ian] sandboxing (11)
2. [dri=sid] Recruiting (clone bsmith) (5)
3. [dri=sid] CSP follow-up bugs (5)
4. [dri=bsmith] Intermediate certificate whitelist (5)
5. [dri=mmc] cid user studies: outcome is actionable, implementable features (5)
6. [dri=cviecco] PK pinning (4)
7. [dri=mmc] profile switching (4)
8. [dri=bsmith] Certificate transparency or similar (3)
9. [dri=ddahl] Web Crypto WG - editing high-level spec (3)
10. [dri=ddahl] crypto.getRandomValues FxOS (3)
11. [dri=ddahl] Web Crypto API for content (3)
12. [dri=tanvi] Mixed Content Blocker (3)
13. [dri=mmc] cookieSniffer, task data (3)
14. [dri=keeler] code cleanup (3)
15. [dri=tanvi] Insecure passwords and working with Paul on what to do about passwords (2)
16. [dri=ian] finish iframe sandbox (2)
17. [dri=sid] Outreach/conference talks & publicity (2)
18. [dri=bsmith] High-priority bug fixes for PSM/NSS (2)
19. [dri=cviecco] security ui mobile (2)
20. [dri=mmc] finish application reputation (2)
21. [dri=mmc] contribute to collusion (2)
22. [dri=sid] W3C Do-Not-Track proliferation (1)
23. [dri=ian] CSP evangelism/documentation (1)
24. [dri=bsmith] B2G remaining work (FOTA and app signing) (1)
25. [dri=bsmith] TLS performance fixes (False start, etc.) (1)
26. [dri=ddahl] Extensions Crypto API (1)
27. [dri=ddahl] Web Crypto evangelism (1)
28. [dri=cviecco] Privacy/Security UI revamp (desktop) (1)
29. [dri=keeler] Finish CTP (1)
30. [dri=keeler] explore the "Whenever I visit my bank, open in the bank profile" idea (1)

Step 3: Pick 5 things other people should do

ian

1. CA pinning XXXXXXXX (8)
2. sandboxing (other people as well as me and my beer) XXXXXXXXXXXXXXX (15)
3. insecure passwords UI XXX (3)
4. fast profile switching XXXXXXX (7)
5. mixed content blocker XXXXXX (6)

tanvi

1. contextual identity / profile switching
2. password manager revamped - https://wiki.mozilla.org/Security/Features/PasswordManagerImprovements
3. security & privacy preferences UI - XXXXXXXX (8)
4. application reputation
5. ca pinning

mmc

1. delete 100K lines of code X (1)
2. ship b2g XXX (3)
3. recruit more SF people (r=sid, patch=tanvi?, desk=lucas?)
4. speed up firefox by an order of magnitude

bsmith

1. Captive Portal Detection XX (2) - https://bugzilla.mozilla.org/show_bug.cgi?id=562917
2. CTP all plugins except flash XXX (3)
3. Address Bar Security UI revamp (Larry) (especially B2G/Fennec) XXXX (4)
4. Reduce response time for forcing certificate revocations XXX (3)
5. OCSP must-staple X (1)

jesse (non-voting observer ✗✗✗✗✗ ✗✗✗✗✗)

1. Expose and promote Flash CTP - https://bugzilla.mozilla.org/show_bug.cgi?id=738698
2. Application reputation - https://bugzilla.mozilla.org/show_bug.cgi?id=662819
3. Indicate good use of SSL [Larry revamp] - https://bugzilla.mozilla.org/show_bug.cgi?id=711816
4. Fix pldhash recursion footgun - https://bugzilla.mozilla.org/show_bug.cgi?id=810718
5. Stop trying to recover from OOM everywhere - https://bugzilla.mozilla.org/show_bug.cgi?id=427099

ddahl

1. CA pinning
2. sandboxage
3. code delete
4. Contextual ID pieces?
5. CookieSniffer and other extensions XXXXX (5)

cviecco

1. sandboxing
2. insecure passwords
3. download reputation
4. faster resolution of ca problems.
5. ctp all plugins by default

sid

1. sandboxing
2. CA pin violation reporting
3. clean up old code
4. Tracking map XXX (3)
5. Contextual Identity-related user studies XXXXX (5)

keeler

1. sandboxing
2. cert pinning
3. profile switching
4. entire preferences UI revamp X (1)
5. re-do the blocklist system XX (2)

Step 4: X's thing, do it again

Duplicates are removed from potential targets for votes.

Results, Ranked by votes:

1. [dri=ian] sandboxing (15)
2. [dri=camilo] CA pinning (8)
3. [dri=keeler] fast profile switching (7)
4. [dri=sid] security & privacy preferences UI (6) - about:permissions, security & privacy panels
5. [dri= cviecco] Address Bar Security UI revamp (especially mobile) (6)
6. [dri=tanvi] mixed content blocker (6)
7. [dri=mmc] [ddahl interested] CookieSniffer and other extensions (5)
8. [dri=mmc] Contextual Identity-related user studies (5)
9. [dri=tanvi] insecure passwords UI (3)
10. [dri=lucas] keep an eye on b2g (3)
11. [dri=keeler] CTP all plugins except flash (3)
12. [dri=sid] Tracking map (3)
13. [dri=bsmith] [keeler is interested] Reduce response time for forcing cert revocations (3)
14. [dri=keeler] [bsmith is interested] re-do the blocklist system (2)
15. [dri=bsmith] Captive Portal Detection (2)
16. [dri=keeler] delete 100K lines of code (1)
17. [dri=bsmith] OCSP must-staple (1)
18. [dri=keeler] keep an eye on [whose?] revamp of the entire preferences UI (1)
19. [dri=ddahl] Web Crypto API (0.5)

DRI

There are DRI's for each of the items. We want to keep track of these things, individuals called out as DRIs are the go-to knowledge and status resource for the project. If you have a question about one of these, ask the DRI.