SecurityEngineering/2014/Q3Goals

From MozillaWiki
Jump to navigation Jump to search


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

(Also linked from Platform/2014-Q3-Goals#Security_.26_Privacy_Engineering).

Content Security

Outcome
Progress towards more robust security hooks for better correctness in content security features like CSP, adblock, etc.
Who
Tanvi, Christoph, Garrett, Sid
  • [NEW] Gecko Security Hooks: Finish code and debugging for New Channel API, start getting reviews (dri=tanvi)
  • [NEW] Gecko Security Hooks: Create plan for addon compatibility (dri=tanvi)
  • [NEW] CSP: Remove old JS implementation from mozilla-central (dri=sstamm)
  • [NEW] [stretch goal] CSP: Fix majority of CSP 1.1 compatibility bugs (dri=ckerschb)

Tracking Protection

Outcome
Better user control (and site control) over metadata on the wire and collected by third parties.
Who
Monica, Garrett, Sid, Georgios
  • [NEW] Referer: Finish implementation of <meta> referrer control with volunteer help (dri=sstamm)
  • [NEW] Evangelism: Security Open Mic presentation + blog post about new CSP implementation, maybe again as brown bag. (dri=sstamm)
  • [NEW] Land first implementation of protection in Fx 33/34 off by default. (dri=mmc)

Communications Security

Outcome
Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
Who
Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica
  • [CARRY OVER] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=grobinson)
  • [NEW] HPKP - implement pinning http header (dri=cviecco)
  • [NEW] Update roadmap for Cert Revocation improvements (dri=rbarnes)
  • [NEW] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
  • [NEW] Add measurement/enforcement of compliance with CABF Baseline Requirements (dri=keeler)
  • [NEW] Create a tool for testing CA certificate compliance and EV-readiness (dri=keeler)
  • [NEW] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
  • [NEW] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=harsh, keeler)
  • [NEW] [stretch goal] Require 2048-bit keys for built-in root certificates (dri=kathleen)
  • [NEW] [stretch goal] Get CA Program data into one database (dri=kathleen)
Retrieved from "https://dev.wikimo.nonprod.webservices.mozgcp.net/index.php?title=SecurityEngineering/2014/Q3Goals&oldid=995043"