mozilla :: #security

9 Aug 2017
03:27ajacurious...is there telemetry to gather sites failing since 3DES disabled on nightlies?
03:28* aja is unaware of any other than thinkbank and mibbit
03:31ajai'm aware of the tlscanary runs...seems like quite a few there. perhaps could help target outreach.
08:49mkwstfreddyb: Did y'all end up discussing SRI stuff in your Monday meeting? (https://bugs.chromium.org/p/chromium/issues/detail?id=618924 and signature-based mechanisms)?
09:02freddybno, I couldn't make the meeting this week
09:03freddybI'll start a discussion via email
09:13mkwstThanks!
09:14freddybmkwst: I can't promise there will be a meaningful outcome until Friday, which is when I leave for a 3 week long vacation, but I'll try nudging some more, if the thread derails
09:14mkwst*shrug* Whatever. We're probably sending an intent to implement for the signature-based stuff today, but there's plenty of time for feedback there.
09:15mkwstThe `require-sri-for` bits are implemented and tested, it's just a question of dropping the flag. No real rush.
09:15mkwst(Which is not to say that it wouldn't be great to have feedback sooner rather than later. ;) )
09:26freddybmkwst: there's no real spec for the signature work yet, is there?
09:28mkwstfreddyb: There's an explainer at https://github.com/w3c/webappsec-subresource-integrity/blob/master/signature-based-restrictions-explainer.markdown with a sketch. We'll put together a real spec as part of the implementation. Would love to collaborate with y'all if you're interested!
09:29freddybok, I'll try to facilitate
09:30mkwst
09:36ajamkwst: SRI spec'ed for service workers / PWA's now?
09:38freddybI don't understand your question, aja
09:39ajai seem to remember having to yank csp require-sri when i was testing out implementing a PWA
09:39mkwstaja: Not for service workers. I'd suggest asking the SRI editors about that. *cough*
09:40mkwstThough, if you include them via `<link>`, I imagine the `integrity` attribute should be applied.
09:40freddybaja: but require-sri-for isn&#39;t even enabled by default in any kind of browser? :)
09:40mkwstNot sure if we have tests for that.
09:40ajaff just ignored since it was entirely unimplemented. but chrome was choking on it
09:41freddybaja: it&#39;s not unimplemented, it&#39;s behidn the csp experimental flag
09:41freddybI implemented it :)
09:41ajafreddyb: ah....wasn&#39;t aware
09:42freddybeither way the problem is with spec interoperability
09:43freddybthere&#39;s almost no way to supply integrity metadata for things that are not loaded through makrup
09:43freddybthere could be though, it&#39;s just that nobody bothered implementing or speccing these things
09:44freddybbut yeah. best to ask the SRI editors about that... *cough* :)
09:47ajawill have to test again....it&#39;s been a few months since i tried it
09:47aja...and i know there&#39;s been fetch updates since then
09:48freddybI&#39;ve mused about implementing SRI in Service Workers, if that&#39;s your thing.. https://frederik-braun.com/sw-sri-challenge.html
09:52aja&quot;It&#39;s interesting to use fresh technologies like ServiceWorkers, Subresource Integrity and Content Security Policy (heh) in combination and see what happens.&quot; Indeed :)
13:27nifu-MHello
13:55gcpfreddyb: we meeting in 5mins?
13:55freddybgcp: oh yes!
13:56freddybI already found a meeting room
14:10Caspy7&quot;Password guru who told the world to make them complicated admits: I got it completely wrong&quot; http://www.telegraph.co.uk/technology/2017/08/08/man-wrote-password-bible-admits-advice-completely-wrong/
14:16freddybI hope nobdy ever calls me guru of anything
14:19mgoodwin_OoOit&#39;s a mean thing todo to someone, freddyb. Feels like setting them up for failure?
14:19freddybmgoodwin_OoO: oh, hi! off work or just not in your shed? :)
14:20mgoodwin_OoOboth.
14:20freddybso, no update on the chicken problem? :-)
14:21mgoodwin_OoOfreddyb: I bought 150m of chicken wire
14:21freddybthat&#39;d be enough for an office door, I hope :-)
14:21mgoodwin_OoOseemed more feasible than ulfr&#39;s scorpions
14:22freddybI have a hunch you&#39;re right
14:22mgoodwin_OoOsorry, that was jc&#39;s idea, not ulfr
14:22mgoodwin_OoOstill
14:26Caspy7In his &quot;Security Now&quot; video podcast Steve Gibson gives Firefox Send his full endorsement with a nice description and breakdown of how it works https://youtu.be/cWZqpCe-cvA?t=4706
14:26Caspy7wasn&#39;t familiar with the show myself, but recognized Leo Laport
14:27Caspy7who seems to be an MC of sorts
14:30freddybcool
14:46tjrDo we have a bug about ultrasound / ultrasonic tracking? I couldn&#39;t find one...
14:47freddybnone that _I_ know of
17:04abillingsmccr8: coming?
17:04mccr8arr sorry, I lost track of time
21:23Caspy7tjr: like when a page is listening?
21:24tjrCaspy7: Kinda. After talking with a friend it turns out the real threat vector is a web page emitting the ultrasonic sound and a phone, which has a tracking app that already has mic access, is listening
21:24Caspy7ok, that makes more sense
21:24tjrImagine the Facebook app, which has mic access already to do voice whatever, listens for ultrasonic stuff being played from an ad network
21:25Caspy7because when a page is listening, Firefox is overtly annoying about letting you know :)
21:25Caspy7sure
21:27Caspy7tjr: I had an idea and planted it with a casual developer. He said he&#39;d make it but hasn&#39;t yet. Basically a Media Muter extension. A button in the toolbar that changes when a tab is playing audio, click it and see a list of tabs playing audio. Ability to mute or switch to. Also option to mute all (and perhaps &quot;mute all but selected&quot;)
10 Aug 2017
No messages
   
Last message: 8 days ago