SecurityEngineering/MeetingNotes/05-23-13

From MozillaWiki

< SecurityEngineering‎ | MeetingNotes

Jump to: navigation, search

Agenda

Q2 Goals - recap
Updates to the webconsole and potential duplicate messages
- https://developer.mozilla.org/en/Security/MixedContent
Web Developer Security Training Update - https://etherpad.mozilla.org/SA46DHDEsr
- Volunteers, please, to run the follow-up talks (2.0 in the etherpad)
Password Knight update
- https://addons.mozilla.org/en-US/firefox/addon/password-knight/
- Still a few bugs. Will write a blog post.
Mixed content blocker
- The Mixed Content and HSTS topic has surfaced this week (https://bugzilla.mozilla.org/show_bug.cgi?id=838395)
- QA rough results
  - 77 sites / Alexa 1,000 have Mixed Content on Firefox
  - 60 sites ALL 3 browsers are blocking
  - 12 sites Not blocked on just Chrome (IE and Firefox block)
  - 3 sites not blocked on IE (Chrome and Firefox block)
  - 2 sites not blocked on IE or Chrome (only Firefox blocks)
- https://bugzilla.mozilla.org/show_bug.cgi?id=776278 (Auto-upgrade HTTP iframes to HTTPS). Do we need to do it?
- Awesome bar autoupgrades urls to https - https://bugzilla.mozilla.org/show_bug.cgi?id=769994
- nytimes.com evangelism? Evangelism plan:
  - Reports are coming in to the tracking bug
  - Finish the QA
  - File bugs with whiteboard flags (have contact, no contact, technical details included / not included)
  - Write a blog post to the community asking for help
Goal Setting / Work Planning for Q3
- Need to figure out a way to do this in a good way, and not at the last minute. Need a place to document potential work items and a way to reach agreement on what is important to work on.
Password Security - bsmith
- What is our strategy for password security?
  - Should this be high priority for us to address (as a major topic, not just a feature)?
- https://wiki.mozilla.org/Security/Features/HighlightCleartextPasswords
- Easy-to-fix (?), high-impact password security bugs
  - sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=759860 (don't auto-complete passwords for non-HTTPS sites; see the last comments in the bug because it is more nuanced than the summary makes it out to be).
  - sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=534541 (passwords of non-HTTPS sites can be stolen without user interaction; probably a dupe of bug 759860).
  - sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=873810 (Background tabs can force an HTTP auth prompt over the active tab to steal the user's credentials for the currently-active website)
  - sec-high https://bugzilla.mozilla.org/show_bug.cgi?id=647010 (Only allow same-origin subrequests to request HTTP auth)
  - https://bugzilla.mozilla.org/show_bug.cgi?id=724182 (Gecko sends HTTP auth credentials in subrequests to unrelated resources)
  - https://bugzilla.mozilla.org/show_bug.cgi?id=613785 (Use a tab-modal dialog box for HTTP auth)
PSM/NSS Documentation
- https://bugzilla.mozilla.org/show_bug.cgi?id=838775
OCSP stapling testing - bug 700693
Meet-up: week of june 17, MTV

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/MeetingNotes/05-23-13&oldid=664315"