SecurityEngineering/2014/Q4Goals

From MozillaWiki
Jump to: navigation, search


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

Content Security

Outcome
More robust security hooks for better correctness in content security features like CSP, adblock, etc.
Who
Tanvi, Christoph, Sid, Francois, Steve
  • [AT RISK] Add LoadInfo to Gecko-owned JS callers (dri=ckerschb,tanvi)
  • [DONE] Use LoadInfo to implement MCB for HTTP redirects (dri=tanvi)
  • [DONE] Implement Next Block of CSP Level 2.0 features (dri=sstamm,ckerschb)
    • Work to fix spec to have child-src directive we want
    • Implement form-action directive
    • Implement referrer directive (depends on bug 704320)
    • Fix frame-ancestors mapping
    • Work to fix spec about blob urls
  • [ON TRACK] Initial Implementation of sub-resource integrity (bug 992096) (dri=francois)

Tracking Protection

Outcome
Better user control (and site control) over metadata on the wire and collected by third parties.
Who
Sid
  • [DONE] Finish <meta> referrer (dri=sid)

Addon Security

Outcome
TBD
Who
Dan Veditz

Goals:

  • [ON TRACK] Require signed add-ons (backend) See bug 1047239(dri=dveditz)


Communications Security

Outcome
Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
Who
Richard, Kathleen, Keeler, Monica, JC, Mark
  • [ON TRACK] Add more BR checking (some combination of giving errors during path building, wall of shame, console warnings -- tbd) (dri=dkeeler)
  • [DONE] Identify what of Certificate Transparency we must/should deploy (dri=rbarnes)
  • [DONE] Complete phase 1 of migration to CA database (dri=kwilson)
  • [ON TRACK] [stretch] Import mozilla::pkix to a branch of NSS (dri=jcjones)
  • [ON TRACK] [stretch] Add ability to name constrain more root CAs (dri=dkeeler)
  • [DONE] [stretch] Add security warnings about SHA-1 to Web Console (dri=mgoodwin)
  • [ON TRACK] OneCRL client implementation (dri=mgoodwin)

QE (tracking)

We also track security related QE goals. (section owner=mwobensmith)

Official list 
(link TBD)