[Council Meeting] Minutes from 2020-06-08
axel.grude at gmail.com
Tue Jul 7 07:42:18 UTC 2020
well that's a big problem for mail. add-ons too. wouldn't that require full
code reviews again?
to show a specific example and obvious, I am using key listeners in all
edit boxes in the Zombie keys extension in order to allow dead key
functionality (e.g to transform u=> ü on a US key layout).
On Tue 7 Jul 2020, 00:39 Ben Bucksch, <ben.bucksch at beonex.com> wrote:
> Berna inquired if there are more thoughts on doing a code audit (related
> to crypto).
> An important addition from the security standpoint: If you want to secure
> the crypto users, the scope of an audit must be not only code related to
> crypto, but 100% all of Thunderbird, when it comes to critical security
> holes. Per definition <https://www.mozilla.org/en-US/security/advisories/>,
> any critical hole anywhere in Thunderbird allows an attacker to also read
> the private keys, install a keylogger, and read all stored mail, and not
> only that, but most other documents owned of that user on that computer,
> even outside of mail. So, a security audit only of crypto related code is
> not the right perspective.
> The best start is to look for critical holes first, before looking for
> crypto audits.
> Of course, given that all the crypto code is new, it's a good idea to look
> at that as well.
> tb-planning mailing list
> tb-planning at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning