Security/CryptoEngineering: Difference between revisions
< Security
Jump to navigation
Jump to search
(→Web Authentication: Schedule update) |
(→Web Authentication: Add a bug list) |
||
| Line 79: | Line 79: | ||
It does not work on Facebook; there are issues beyond browser detection that haven't been analyzed yet. | It does not work on Facebook; there are issues beyond browser detection that haven't been analyzed yet. | ||
=== Tracked Bugs === | |||
<bugzilla> | |||
{ | |||
"component":"DOM: Device Interfaces", | |||
"whiteboard":"webauthn", | |||
"include_fields": "id, summary, status, assigned_to, whiteboard, last_change_time" | |||
} | |||
</bugzilla> | |||
== DOM Security == | == DOM Security == | ||
Revision as of 20:38, 30 August 2017
Last Updated: 3 Jan 2017
Crypto Engineering Projects
Our team's major projects are broken down by module:
NSS
NSS is the cryptography and transport security library that powers Firefox.
- 2017 Q2: [MWOS] Add new NSS demonstration code to show how to use NSS in a modern way.
- 2017 Q2: [MWOS] Implement Argon2 to provide a basis to modernize the Master Password in Firefox.
- 2017 Q2: Implement hardware crypto accelerations on OSX and ARM
- 2017 Q3: Integrate BoGo's integration tests into NSS builds.
- The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
- 2017 Q4: Post-Quantum Research and Development.
- Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.
PSM
PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.
- 2016 Q4 / 2017 Q1: Re-architect PSM/NSS interaction to eliminate shutdown crashes.
- The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
- Details here: Platform Use of NSS
- 2017 Q2: Speed up TLS handshakes
- 2017 Q2: Continue work on our Certificate Transparency implementation and test infrastructure
- 2017 Q3: Move error-string formatting for our error pages into the front-end JavaScript
- 2017 Q3: Retool the "See more" sections of error pages using JavaScript to provide more help
Web Authentication
Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.
- 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
- You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
- 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
- 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. rust u2f-hid-rs library
- 2017 Q2-3: Integrate USB HID U2F hardware support into Firefox.
- Bug 1380270: Add libudev support to the tree
- Bug 1388843: Add u2f-hid-rs rust library to the tree
- Bug 1388851: Tie u2f-hid-rs rust library into WebAuthn's U2F HID Manager
- Currently expected to land in Firefox 58.
- 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
- Done in Firefox 56
- 2017 Q3: Integrate hardware support with the FIDO U2F v1.1 JS API
- Bug 1245527: Tie U2F JS API into WebAuthn's U2F HID Manager
- This is probably going to make it into Firefox 57, but won't enable hardware support until Bug 1388851 also lands.
- Bug 1245527: Tie U2F JS API into WebAuthn's U2F HID Manager
- 2017 September: Interoperability testing for WebAuthn.
- 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
- 2017 (late) / 2018: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
- 2018: Support U2F hardware for Firefox for Android.
All of the above dates are for landing in Firefox Nightly.
Goal: permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57, and Web Authentication (on by default) in Firefox 57 or 58. (See RapidRelease/Calendar)
Unstable Build: 30 August 2017
This build contains all of the above patches for Bug 1380270, Bug 1388843, Bug 1388851, and Bug 1245527. It also generally has some small fixups that will also make it somewhere or other.
- OSX: https://queue.taskcluster.net/v1/task/IMBLy88oQf29Aa2xI5kucQ/runs/0/artifacts/public/build/target.dmg
- Windows 64: https://queue.taskcluster.net/v1/task/O8mFlCIISO-A8ej1uo8TQg/runs/0/artifacts/public/build/target.zip
- Linux: Unavailable at TaskCluster for now, due to libudev not being available to the rust compiler
Enabling debugging (example for OSX):
MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox
This build supports WebAuthn WD-05 and U2F v1.1 using hardware tokens. It has been tested at:
- https://u2fdemo.appspot.com/
- https://github.com/
- https://u2f.bin.coffee/
- https://demo.yubico.com/u2f
- https://webauthn.bin.coffee/wd-05/
It does not work on Facebook; there are issues beyond browser detection that haven't been analyzed yet.
Tracked Bugs
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1245527 | Integrate the FIDO U2F JS API with the u2f-hid-rs library | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2018-02-19T07:36:21Z |
| 1265472 | Add telemetry to WebAuthn / U2F | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2019-06-12T17:11:49Z |
| 1298838 | Implement (initial) USB HID support for U2F Security Keys | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-02-19T07:36:53Z |
| 1323339 | Implement IPC and Parent Process portions of WebAuthn API | RESOLVED | Kyle Machulis [:qdot] [:kmachulis] (INACTIVE) | [webauthn] | 2017-05-25T02:50:08Z |
| 1332681 | Update WebAuthn JS API to the WD-05 working draft | RESOLVED | Dana Keeler (she/her) [:keeler] (out until 16 June) | [webauthn] | 2019-03-16T08:35:32Z |
| 1335899 | U2F should tolerate token failures like WebAuthn does | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2017-02-02T23:59:50Z |
| 1341110 | U2F Soft Token crashes if you cancel the Master Password dialog | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2017-11-16T14:42:04Z |
| 1347374 | Re-enable dom/u2f/tests/test_multiple_keys.html | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2017-09-19T16:01:13Z |
| 1354330 | Implement IPC and remove sync Messages for DOM U2F API | RESOLVED | Kyle Machulis [:qdot] [:kmachulis] (INACTIVE) | [webauthn] | 2017-08-17T22:17:46Z |
| 1375450 | Remove unused U2FTokenManager::PrefPromise | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-06-23T09:34:31Z |
| 1375512 | Don't require a U2F*TokenManager to expose IsRegistered() | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-06-23T09:34:40Z |
| 1375744 | Add U2FTokenTransport::Cancel() to abort requests on HW devices | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-09-17T11:48:07Z |
| 1375828 | U2FTokenTransport::Register() and ::Sign() should return promises | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-06T23:12:30Z |
| 1375847 | Add skeleton U2FHIDTokenManager | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-06T23:12:33Z |
| 1378762 | Remove 'aSignature' argument from U2FTokenTransport::Register() | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-07T23:04:37Z |
| 1379580 | U2FTokenTransport promises should resolve to U2F data buffers | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-12T09:18:59Z |
| 1380270 | Add dlopen() version of libudev-sys | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-04-27T15:57:01Z |
| 1380421 | Regression: Tolerate origin RP IDs in WebAuthn | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-07-15T14:40:12Z |
| 1380529 | WebAuthn: Use WD-05 U2F Attestation Format | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2019-02-16T15:35:34Z |
| 1380954 | Forward WebAuthnTransactionInfo::TimeoutMS() to U2F*TokenManagers | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-15T00:16:55Z |
| 1381126 | WebAuthn: Strictly require domain strings as RP IDs | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-09-12T09:40:43Z |
| 1381190 | Web Authentication - Change to COSE Algorithm Identifier types | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-18T09:53:22Z |
| 1381575 | WebAuthn: Encode valid AAGUIDs where possible | RESOLVED | [webauthn] | 2017-08-17T22:05:14Z | |
| 1382888 | WebAuthn objects should use [SameObject] | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-07-26T15:57:07Z |
| 1382893 | WebAuthn RP-IDs should enforce HTTPS and be permissive for alternative TCP ports | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-01-08T23:20:32Z |
| 1383799 | WebAuthn operations in-flight must be cancelled on tab-switch | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-09-01T17:41:39Z |
| 1384307 | WebAuthn PublicKeyCredential object's "id" and "type" fields must be set | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-07-26T09:15:47Z |
| 1384623 | WebAuthn objects marked [SameObject] must cache those objects | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2017-09-06T09:36:16Z |
| 1385008 | WebAuthn: CollectedClientData.Origin must be the RP ID | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-07-28T13:33:40Z |
| 1385274 | WebAuthnManager asserts when trying to resolve mPBackgroundCreationPromise twice | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-29T00:43:23Z |
| 1385313 | Use MozPromiseRequestHolders in U2FTokenManager | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-07-29T00:43:26Z |
| 1387820 | WebAuthn assertion signatureData should contain only the signature | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-08-18T07:40:14Z |
| 1388843 | Add u2f-hid-rs library | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-04-27T15:57:26Z |
| 1388851 | Implement U2FHIDTokenManager | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-04-27T15:57:44Z |
| 1388853 | Fix timeouts in WebAuthnManager::MakeCredential() | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-02-19T07:36:59Z |
| 1388854 | Add tests for tab switch cancellation behavior in Web Authentication | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [webauthn-test] | 2017-11-17T22:22:06Z |
| 1392366 | WebAuthn: Use WD-05 Hash Algorithm Names | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2017-08-23T14:40:19Z |
| 1395406 | Crash when using two USB tokens on U2F test site | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [u2f] | 2017-09-22T05:51:52Z |
| 1396907 | Abstract a BaseAuthManager for dom/u2f and dom/webauthn | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [webauthn-cleanup] | 2017-12-06T22:04:03Z |
| 1399334 | Intermittent dom/u2f/tests/test_register_sign.html | /tests/dom/u2f/tests/frame_register_sign.html: Register attestation signature verified | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-test][stockwell unknown] | 2018-01-08T17:07:44Z |
| 1399959 | Set preference to prefer hardware U2F tokens (but not shipping any U2F/WebAuthn APIs) | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [u2f] | 2017-09-19T10:46:34Z |
| 1400019 | WebAuthn: Assertion failure: aAlgorithm.IsString() | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-test] | 2017-09-19T10:46:42Z |
| 1400066 | dom/webauthn/u2f-hid-rs/src/manager.rs:10:5: unresolved import `platform::PlatformManager` | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2017-09-15T18:24:50Z |
| 1400080 | Fix browser_webauthn_telemetry.js when u2f-hardware is in-tree | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-test] | 2017-09-15T18:24:54Z |
| 1400522 | Testing U2F WebAPI - Fx Nightly build 20170915220136 on Arch | RESOLVED | [webauthn] [webauthn-test] [u2f] | 2017-09-27T17:14:00Z | |
| 1400662 | Prefer the USB token if the softtoken is enabled as well | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-01-08T17:04:57Z |
| 1400668 | Process key handle exclusion list when registering a token | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-09-25T15:02:40Z |
| 1400940 | Deadlock after tab switch during verification process | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [webauthn-test] | 2018-01-08T17:07:14Z |
| 1405431 | Intermittent dom/webauthn/tests/test_webauthn_loopback.html | Signing signature invalid: Invalid signature length: 69 | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-test] | 2017-10-09T01:52:03Z |
| 1406456 | Update WebAuthn WebIDL to the WD-07 draft | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-12T10:45:57Z |
| 1406458 | WebAuthn: Add extension types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-02-07T22:10:27Z |
| 1406459 | Web Authentication - Add token binding types | RESOLVED | [webauthn][webauthn-wd07] | 2017-11-08T21:04:37Z | |
| 1406462 | Web Authentication - Add authenticator selection criteria and attachment types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-11-29T22:49:59Z |
| 1406466 | Web Authentication - WD-07 Updates to Create Credential | RESOLVED | [webauthn][webauthn-wd07] | 2017-11-20T10:37:32Z | |
| 1406467 | Web Authentication - WD-07 Updates to Make Assertion | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-01-25T16:04:24Z |
| 1406468 | Web Authentication - Implement isUserVerifyingPlatformAuthenticatorAvailable() method | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2019-03-20T20:41:26Z |
| 1406469 | Web Authentication - Update Authenticator Data generation for User Verified bit | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-12T10:46:00Z |
| 1406471 | Web Authentication - Implement FIDO AppID Extension | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-04-27T16:07:24Z |
| 1407093 | Web Authentication - Correctly plumb User Handle | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-12-13T22:04:19Z |
| 1407789 | Web Authentication - Prohibit cross-site iframes | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-01-16T20:44:09Z |
| 1407829 | Web Authentication - Implement CredMan's Store method | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-17T22:15:30Z |
| 1409202 | Web Authentication - Restrict to active documents | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-04-04T13:29:32Z |
| 1409220 | Move mPubKeyCredParams processing to U2FTokenManager | RESOLVED | [webauthn] [webauthn-cleanup] | 2019-01-24T23:01:24Z | |
| 1413598 | Pull in latest changes from u2f-hid-rs git repository | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-02T22:24:45Z |
| 1415675 | Web Authentication - Support AbortSignal types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-11-22T06:28:24Z |
| 1416056 | Web Authentication - Default to "None Attestation" | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2018-02-12T16:05:55Z |
| 1417679 | Web Authentication - User experience during authentication flow | RESOLVED | [webauthn][webauthn-ux][seceng-ux-needed] | 2018-03-02T10:22:08Z | |
| 1418018 | Crash in u2fhid::platform::{{impl}}::cancel dom/webauthn/u2f-hid-rs/src/macos/transaction.rs:78 | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][u2f] | 2017-11-28T02:08:11Z |
| 1418234 | Pull in latest changes from u2f-hid-rs git repository | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-17T22:13:34Z |
| 1418242 | [u2f-hid-rs] Let stubs fail, instead of running until cancellation | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-17T22:13:43Z |
| 1419070 | [u2f-hid-rs] Implement per-device threads on Linux, don't use KeyHandleMatcher | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-20T22:33:15Z |
| 1419685 | [u2f-hid-rs] Implement per-device threads on Windows, remove KeyHandleMatcher | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-22T21:38:54Z |
| 1419907 | [u2f-hid-rs] Combine platform managers in a single state machine | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] | 2017-11-23T09:54:37Z |
| 1420760 | webauthn: out-of-order keys in CBOR map. | RESOLVED | Adam Langley | [webauthn][webauthn-wd07] | 2018-01-03T21:45:43Z |
| 1420763 | webauthn: credential public key not a COSE_Key | RESOLVED | Adam Langley | [webauthn][webauthn-wd07] | 2018-01-06T09:59:34Z |
| 1428916 | Web Authentication - Support Attestation Conveyance | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-02-07T12:45:44Z |
| 1428918 | Web Authentication - Enable in Nightly | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-05-09T15:15:11Z |
| 1430150 | Web Authentication - Prompt for permission before permitting "direct" Attestation Conveyance | VERIFIED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-ux][seceng-ux-needed] | 2018-05-15T05:24:30Z |
| 1430947 | Navigator.credentials is not [SecureContext] | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop][credman] | 2018-01-21T16:57:06Z |
| 1432542 | Web Authentication - Enable in Firefox 60 | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2018-05-08T21:43:26Z |
| 1433525 | Web Authentication - ClientCollectedData is out of date / missing "type" field | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2018-01-28T10:42:10Z |
| 1434277 | Web Authentication, U2F - Document Dependencies for Common Linux Distributions | RESOLVED | [webauthn] [u2f] | 2018-11-13T20:22:24Z | |
| 1435264 | [WebAuthNFx60]Removing USB token between multiple credential creation will indicate failure | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-test] | 2018-03-20T17:40:34Z |
| 1435527 | Web Authentication - Run to Timeout from navigator.credentials.get when PublicKeyCredentialRequestOptions.allowCredentials is empty | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-interop] | 2018-02-12T11:33:48Z |
| 1435979 | [WebAuthNFx60]Successful credential creation when performing touch verification before request | RESOLVED | [webauthn][webauthn-test] | 2018-03-20T17:46:58Z | |
| 1436078 | Web Authentication - Support already-enrolled U2F devices with Google Accounts | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop][u2f] | 2023-03-15T22:29:18Z |
| 1436473 | Web Authentication - rename MakePublicKeyCredentialOptions dict to PublicKeyCredentialCreationOptions | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-interop] | 2018-02-20T14:15:33Z |
| 1440044 | Confirmed bug in Firefox, sends incorrect message type when registering 2nd security key | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [webauthn-interop][u2f] | 2018-04-23T10:40:11Z |
| 1440805 | U2FZero USB authenticator token doesn't work with Firefox | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-hw] | 2018-03-08T22:11:58Z |
| 1444547 | Abort with InvalidStateError when allowCredentials is empty but the user touches a token anyway | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [webauthn-interop] | 2018-04-12T12:03:10Z |
| 1453959 | Web Authentication - Use term "Security Key" | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-interop] | 2018-05-02T21:11:54Z |
| 1458755 | Web Authentication - Copy flag bits 0 & 1 for Sign operations | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-interop] | 2018-05-10T14:34:05Z |
| 1460301 | Calling U2F_PING on Yubikeys in certain configurations may lead them to fail to hotplug | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn] [u2f] | 2024-04-19T10:59:21Z |
| 1463170 | Web Authentication - Set AuthenticatorAssertionResponse.userHandle to null | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] [webauthn-interop] | 2018-05-29T22:34:31Z |
| 1468349 | Web Authentication - Support FreeBSD | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-hw] | 2018-09-04T21:56:55Z |
| 1483905 | AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:316:32 in isSome | RESOLVED | Dana Keeler (she/her) [:keeler] (out until 16 June) | [webauthn][adv-main63+][adv-esr60.3+] | 2020-02-28T11:02:42Z |
| 1492973 | Update u2f-hid-rs to 0.2.1 | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2018-09-26T18:22:32Z |
| 1508115 | Web Authentication - Support Windows Hello (mandatory in 2019) | RESOLVED | Akshay Kumar | [webauthn] [webauthn-interop] [webauthn-ctap2] | 2019-05-13T16:16:45Z |
| 1514247 | Update u2f-hid-rs to 0.2.3 | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn] | 2018-12-15T02:58:05Z |
| 1517611 | Leaks in /webauthn/ WPTs | RESOLVED | Andrew McCreight [:mccr8] | [MemShrink:P1] [webauthn] | 2019-01-20T20:38:43Z |
| 1520817 | Web Authentication - Fix Windows tests when Hello support is enabled | RESOLVED | [webauthn][u2f] | 2019-01-22T22:01:27Z | |
| 1522145 | Web Authentication - Support additional Windows Hello Algorithms | RESOLVED | Akshay Kumar | [webauthn] | 2019-01-24T23:01:24Z |
102 Total; 0 Open (0%); 101 Resolved (99.02%); 1 Verified (0.98%);
DOM Security
- 2017 Q2: Enable HSTS Priming in Firefox Beta
- 2017 Q2: Update our Mixed Content Blocking implementation to the W3C Candidate Recommendation
- 2017 Q3: Release paper on HSTS Priming approach