> Slides for the talk can be found here - > https://people.mozilla.com/~tvyas/SecEngBrownBag.pdf
A few thoughts. I presume HSTS will have an about:config disable option as otherwise it will really annoy users and may threaten HSTS's existence for the many with dead laptop and dead bios batteries, such as a mate of mine. Perhaps requiring the master password to be set to disable HSTS in order to prevent violating the RFC. Ideally, running firefox in a chroot with the suid sandbox turned off should be supported for those who want to raise the security bar (general requirements of all users vs internal finegrained sandboxing debate) or in other words the sandbox should only be a security feature and running without it not be worse than current firefox. Unnecessary RPC should be avoided wherever possible to aid secure chroots and/or complete sandboxing. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
