SecurityEngineering/2014/Q2Goals

From MozillaWiki
Jump to: navigation, search


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

(Also linked from Platform/2014-Q2-Goals#Security_.26_Privacy)

Web Platform Security

Outcome
Faster, more correct web platform security feature/tool roll-out (plus, easier maintenance!)
Who
tanvi, ckerschb, grobinson, sstamm, rbarnes
  • [DONE] Consult/Research: plan out replacement for nsIContentPolicy and start executing (the Sicking project) [dri=tanvi, a=ckerschb] Try Run
  • [DONE] Implement: Make new CSP parser on by default in nightly bug 925004 [dri=ckerschb, a=grobinson,sstamm]
  • [DONE] Implement: Land WebCrypto [dri=rbarnes] bug 865789

Secure Client Platform

Outcome
incremental progress towards containing unprivileged code to mimize risk due to vulnerabilities
Who
bobowen, sstamm, tabraldes
  • [MISSED] Get open.h264 plugin sandboxed on windows [dri=sstamm, a=tabraldes] (not done with reviews, close)
  • [DROPPED] Get some tests on TBPL running with sandbox [dri=bobowen, a=sstamm,tabraldes] (Dropped due to complications in getting even e10s in windows running on TBPL, in favor of warn-only mode goal below)
  • [MISSED] Create warn-only mode for sandbox in windows builds so developers can see what *will* break before it does [dri=bobowen, a=sstamm] (needs review and landing, close)

Secure Communications:

Outcome
More correct cert validation and way to detect MITM of at least one site (via pinning)
Who
keeler, cviecco, mmc, kathleen
  • [DONE] Land key pinning [dri=cviecco, a=keeler,mmc]
  • [DONE] mozilla::pkix on by default, (riding the train to) / (targeting a) release [dri=keeler, a=cviecco]
  • [DEFER] BONUS (not required): Deploy UI for cert error reporting [dri=grobinson] bug 846489

Tracking Protection / Privacy

Outcome
prepare Lightbeam for user study on tracking protection
Who
mmc, grobinson