[b2g] Status of user security planning for FirefoxOS 3.0

Mon, 19 Jan 2015 09:07:49 -0800 

Hello all,
It seems some of you are making plans for Firefox OS 3.0. An update on the plans and planners working on user security for that new version would be useful to the community. 


The Mozilla Manifesto clearly states:

  04 Individuals’ security and privacy on the Internet are fundamental
     and must not be treated as optional.

           https://www.mozilla.org/en-US/about/manifesto/


This would suggest that the Firefox OS project is institutionally 
obligated to consider user security as a core concern in its plans for 
Firefox OS 3.0.




Unfortunately, over the past year, the response to the concerns raised 
by the community on the mailing list and in questions to be addressed in 
the town hall has been less than satisfactory:

 * the issue of OS security updates was not addressed directly but
   instead deflected with a vague plan to make more apps user
   upgradable (which is a partial, and minor, solution),
 * the follow up to unanswered questions promised at the end of the
   town hall meeting did not happen so those questions are still open,
 * there does not appear to be any point of contact for security issues
   or for security vulnerabilities in Firefox OS,
 * the Mozilla security center does not track Firefox OS
   vulnerabilities unlike its other products,
   (https://www.mozilla.org/en-US/security/known-vulnerabilities/),
 * there has been no recent discussion of how to protect Firefox OS
   users from outdated and vulnerable versions of gecko which are still
   being sold on the market,
 * in one exchange, some group did reveal it was working on developing
   a formal threat model for their work but that model was not then
   revealed publicly.


This raises a number of questions:
 - where is the security work for Firefox OS 3.x being planned?
 - who is doing the planning?
 - how are issues being tracked?
 - what formal threat model is being developed and where does that work
   now stand?
 - who is determining the scope of work and what security issues will
   be ignored for the 3.x OS series?
 - with whom will the ultimate responsibility (i.e. blame) rest for the
   vulnerabilities which emerge in the 3.x lifecycle?
As you can see, there is a lot to think about.


Thanks for any updates and pointers,

 ~Adrian Custer

_______________________________________________
dev-b2g mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-b2g






















					Reply via email to