SecurityEngineering/MeetingNotes/2014-01-09

From MozillaWiki
Jump to: navigation, search

2014 Q1 Goals

Cert Revocation

  • Outcome: measure feasibility of pinning mozilla properties
  • Who: briansmith, cviecco, keeler
    • {new|(briansmith) root name constraints}
    • {new|(briansmith) Land insanity}
    • {new|(cviecco) Land key pinning + pin telemetry}
    • BONUS: {new|(keeler) land cert error reporting ("report this to Mozilla") + collection infrastructure}

Sandboxing

  • Outcome: tighter sandbox, removes more access from child process
  • Who: kang, bbondy, ckerschb, keeler, sid
    • {new|(kang) nail down path to remoting file access, file bugs and begin work (so we can remove OPEN syscall from sandbox)}
    • {new|(bbondy) and equivalent file access/pipe control for windows.}

Tracking Protection

  • Outcome: Users can import a list of content to block.
  • Who: mmc, grobinson, sid
    • {new|(mmc) Extend nsChannelClassifier to block network loads from tracking domains based on a remote list.}

Security Feature Compatibility and Performance

  • Outcome: improve app loading time on B2G and page load times on desktop
  • Who: ckerschb, grobinson, sid
    • {new|(ckerschb) CSP rewrite in C++ (perf for B2G and all platforms) }
    • {new|(grobinson) create deprecation plan for old parser}

Agenda 2014-01-09 CHAIR: Sid (regular chair cycling starts back up next week)

Action Items:

  • (grobinson/all) Debug script-hash/multiprocess after meeting
  • (grobinson/sid) Debug broken CSP sandbox-breaking test after meeting
  • (sid) share workweek schedule when it's made