mozilla :: #security

12 Sep 2017
00:25wxlhey folks. chrome just put out their plan for distrusting symantec certs. is there a similar plan posted somewhere for firefox?
08:09freddybwxl: yes, I suggest looking at the security policy mailing list
17:50evilpiedo we have interest in implementing SameSite cookies? (Bug 795346)
17:50firebot NEW, Add SameSite support for cookies
18:34freddybevilpie: interesting in having it or interest in implementing it? :-)
21:08MattNkeeler: Hey David, I'm looking into and the main issue so far is where to put the new string. The obvious way is to have a XUL override for[1] but I'd rather not fork that whole file. [1]
21:08firebotBug 306730 NEW, Improve the "Please enter the master password for the Software Security Device" string
21:08MattNI only see one reference to an external string file from within /security/manager but I'm thinking it may be a bug:
21:10keelerheh, yeah, I think that's an unused, duplicate entry
21:10MattNAre you fine with a Fx-specific code path around
21:11MattNor do we have to keep /security/manager clean of Fx stuff
21:11keelerdo we know what the string is going to be?
21:12MattNI didn't ask UX yet but I imagine it's going to contain either "Master Password" or "{brandShortName} Master Password"
21:12MattNsince our prefs call it a Master Password
21:12MattNeasiest would be if I could have PSM default to calling the internal token password a "Master Password"
21:13MattNassuming we don't need the product name
21:13keelerhaving the product name would actually solve the "I have firefox and thunderbird open and I don't know which this came from" issue
21:13MattNthen I could just add the new MP string to
21:14keelerin any case, I think we could make the string different depending on if it's the internal token or not
21:14MattNyeah, putting it in the window title would also help (on some OSs)
21:14keeler(because we also use this for pkcs#11 tokens)
21:14MattNyeah, that part I know
21:14MattNbut where we get the string from is the problem
21:14keelerwe can't put it in
21:15keelerand actually, I misunderstood your earlier comment about the external string file - I don't know if that's a bug or not
21:16MattNwell I guess we can if we don't need the brand
21:16MattNsince already talks about "Master Password"
21:16* MattN didn't realize that
21:16keelerhaving two different "CertPassPrompt" keys (one in and one in is a bug
21:16MattNoh, yeah, that I figured but didn't know if it was for backwards compat
21:17keelerI don't think we need the pippki one
21:17wxlfreddyb: i'm not necessarily seeing a place on announcing a clear set of actions to be taken within the firefox browser. do you have a directly link?
21:17MattNkeeler: ok, so can /security/manager use if we want the brand?
21:18MattNperhaps falling back to a different string if doesn't exist
21:18MattNI think I should just ignore the brand issue for this bug to make an incremental improvement though
21:18MattNI'm just curious for the future
21:19keelerI'm pretty sure we can use brand.bundle
21:19keelerworks on thunderbird, at least :D
21:20MattNwhile you're here is PK11_IsInternalKeySlot the right method to know if the slot is for the MP and not some other device?
21:20MattN(other guess was PK11_IsInternal but I'm just guessing)
21:21* MattN doesn't understand the difference yet
21:21keelerI think they're very similar
21:21keelerand I think that'll do the right thing
21:21MattNyeah, they both check slot->isInternal
21:22MattNbut PK11_IsInternalKeySlot does an additional check that I don't know enough about
21:23keelerit's checking if the given slot is the same pointer as what's returned by the "get me the internal key slot" function
21:23keelerwhich should be true if you have the internal key slot
21:23keelerso it seems redunant to me
21:23MattNoh, ok
21:24keelersure thing!
13 Sep 2017
No messages
Last message: 8 days and 21 hours ago