SecurityEngineering/MeetingNotes/2014-01-09
From MozillaWiki
Contents
2014 Q1 Goals
Cert Revocation
- Outcome: measure feasibility of pinning mozilla properties
- Who: briansmith, cviecco, keeler
- {new|(briansmith) root name constraints}
- {new|(briansmith) Land insanity}
- {new|(cviecco) Land key pinning + pin telemetry}
- BONUS: {new|(keeler) land cert error reporting ("report this to Mozilla") + collection infrastructure}
Sandboxing
- Outcome: tighter sandbox, removes more access from child process
- Who: kang, bbondy, ckerschb, keeler, sid
- {new|(kang) nail down path to remoting file access, file bugs and begin work (so we can remove OPEN syscall from sandbox)}
- {new|(bbondy) and equivalent file access/pipe control for windows.}
Tracking Protection
- Outcome: Users can import a list of content to block.
- Who: mmc, grobinson, sid
- {new|(mmc) Extend nsChannelClassifier to block network loads from tracking domains based on a remote list.}
Security Feature Compatibility and Performance
- Outcome: improve app loading time on B2G and page load times on desktop
- Who: ckerschb, grobinson, sid
- {new|(ckerschb) CSP rewrite in C++ (perf for B2G and all platforms) }
- {new|(grobinson) create deprecation plan for old parser}
Agenda 2014-01-09 CHAIR: Sid (regular chair cycling starts back up next week)
- Final review of Q4 goals
- Q1 Goals discussion
- Set for Q1.
- Platform/DOM Workweek
- not a good schedule yet, will circulate one when it's prepared. Things we have asked to discuss at the workweek: revocation, sandboxing, tracking.
- OCSP stapling telemetry (tl;dr: successful staples ~6-7%, very few errors (percentage-wise))
- We're blocking 13% of downloaded executables: http://telemetry.mozilla.org/#nightly/29/APPLICATION_REPUTATION_COUNT
Action Items:
- (grobinson/all) Debug script-hash/multiprocess after meeting
- (grobinson/sid) Debug broken CSP sandbox-breaking test after meeting
- (sid) share workweek schedule when it's made