mozilla :: #security

12 Sep 2017
00:25wxlhey folks. chrome just put out their plan for distrusting symantec certs. is there a similar plan posted somewhere for firefox?
08:09freddybwxl: yes, I suggest looking at the security policy mailing list
17:50evilpiedo we have interest in implementing SameSite cookies? (Bug 795346)
17:50firebothttps://bugzil.la/795346 NEW, nobody@mozilla.org Add SameSite support for cookies
18:34freddybevilpie: interesting in having it or interest in implementing it? :-)
21:08MattNkeeler: Hey David, I'm looking into https://bugzilla.mozilla.org/show_bug.cgi?id=306730 and the main issue so far is where to put the new string. The obvious way is to have a XUL override for pippki.properties[1] but I'd rather not fork that whole file. [1] https://dxr.mozilla.org/mozilla-central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/security/manager/locales/en-US/chrome/pippki/pippki.properties#5
21:08firebotBug 306730 NEW, nobody@mozilla.org Improve the "Please enter the master password for the Software Security Device" string
21:08MattNI only see one reference to an external string file from within /security/manager but I'm thinking it may be a bug: https://dxr.mozilla.org/mozilla-central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/security/manager/pki/resources/content/exceptionDialog.xul#26
21:10keelerheh, yeah, I think that's an unused, duplicate entry
21:10MattNAre you fine with a Fx-specific code path around https://dxr.mozilla.org/mozilla-central/rev/f9a5e9ed62103c84e4cde915f4d08f1ce71be83e/security/manager/ssl/nsNSSCallbacks.cpp#796
21:11MattNor do we have to keep /security/manager clean of Fx stuff
21:11keelerdo we know what the string is going to be?
21:12MattNI didn't ask UX yet but I imagine it's going to contain either "Master Password" or "{brandShortName} Master Password"
21:12MattNsince our prefs call it a Master Password
21:12MattNeasiest would be if I could have PSM default to calling the internal token password a "Master Password"
21:13MattNassuming we don't need the product name
21:13keelerhaving the product name would actually solve the "I have firefox and thunderbird open and I don't know which this came from" issue
21:13MattNthen I could just add the new MP string to pippki.properties
21:14keelerin any case, I think we could make the string different depending on if it's the internal token or not
21:14MattNyeah, putting it in the window title would also help (on some OSs)
21:14keeler(because we also use this for pkcs#11 tokens)
21:14MattNyeah, that part I know
21:14keelerok
21:14MattNbut where we get the string from is the problem
21:14keelerwe can't put it in pippki.properties?
21:15keelerand actually, I misunderstood your earlier comment about the external string file - I don't know if that's a bug or not
21:16MattNwell I guess we can if we don't need the brand
21:16MattNsince pippki.properties already talks about "Master Password"
21:16* MattN didn't realize that
21:16keelerhaving two different "CertPassPrompt" keys (one in pipnss.properties and one in pippki.properties) is a bug
21:16MattNoh, yeah, that I figured but didn't know if it was for backwards compat
21:17keelerI don't think we need the pippki one
21:17wxlfreddyb: i'm not necessarily seeing a place on mozilla.dev.security.policy announcing a clear set of actions to be taken within the firefox browser. do you have a directly link?
21:17MattNkeeler: ok, so can /security/manager use brand.properties if we want the brand?
21:18MattNperhaps falling back to a different string if brand.properties doesn't exist
21:18MattNI think I should just ignore the brand issue for this bug to make an incremental improvement though
21:18MattNI'm just curious for the future
21:19keelerI'm pretty sure we can use brand.bundle
21:19keelerworks on thunderbird, at least :D
21:19MattNyeah
21:19MattNcool
21:20MattNwhile you're here is PK11_IsInternalKeySlot the right method to know if the slot is for the MP and not some other device?
21:20MattN(other guess was PK11_IsInternal but I'm just guessing)
21:21* MattN doesn't understand the difference yet
21:21keelerI think they're very similar
21:21keelerand I think that'll do the right thing
21:21MattNyeah, they both check slot->isInternal
21:22MattNbut PK11_IsInternalKeySlot does an additional check that I don't know enough about
21:23keelerit's checking if the given slot is the same pointer as what's returned by the "get me the internal key slot" function
21:23keelerwhich should be true if you have the internal key slot
21:23keelerso it seems redunant to me
21:23MattNoh, ok
21:24MattNthanks
21:24keelersure thing!
13 Sep 2017
No messages
   
Last message: 8 days and 21 hours ago