[Council Meeting] Minutes from 2020-06-08

Axel Grude axel.grude at gmail.com
Tue Jul 7 07:42:18 UTC 2020


well that's a big problem for mail. add-ons too. wouldn't that require full
code reviews again?

to show a specific example and obvious, I am using key listeners  in all
edit boxes in the Zombie keys extension in order to allow dead key
functionality (e.g to transform u=> ü on a US key layout).

Axel


On Tue 7 Jul 2020, 00:39 Ben Bucksch, <ben.bucksch at beonex.com> wrote:

>
> Berna inquired if there are more thoughts on doing a code audit (related
> to crypto).
>
>
> An important addition from the security standpoint: If you want to secure
> the crypto users, the scope of an audit must be not only code related to
> crypto, but 100% all of Thunderbird, when it comes to critical security
> holes. Per definition <https://www.mozilla.org/en-US/security/advisories/>,
> any critical hole anywhere in Thunderbird allows an attacker to also read
> the private keys, install a keylogger, and read all stored mail, and not
> only that, but most other documents owned of that user on that computer,
> even outside of mail. So, a security audit only of crypto related code is
> not the right perspective.
>
> The best start is to look for critical holes first, before looking for
> crypto audits.
>
> Of course, given that all the crypto code is new, it's a good idea to look
> at that as well.
> _______________________________________________
> tb-planning mailing list
> tb-planning at mozilla.org
> https://mail.mozilla.org/listinfo/tb-planning
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20200707/2e2ec363/attachment.html>


More information about the tb-planning mailing list