MozillaWiki

SecurityEngineering: Difference between revisions

Page Discussion

SecurityEngineering (view source)

Revision as of 21:54, 21 February 2018

270 bytes added ,  21 February 2018
→‎Experimental Things: containers are no longer experimental
(→‎How We Work: link to Q2 goals)
(→‎Experimental Things: containers are no longer experimental)
 
(43 intermediate revisions by 9 users not shown)
Line 7: Line 7:


==Who is involved==
==Who is involved==
Security Engineering is led by Richard Barnes and Steve Workman, and mainly driven by Mark Goodwin, JC Jones, Kamil Jozwiak, David Keeler, Christoph Kerschbaumer, [[User:Fmarier|Francois Marier]], Bob Owen, Sid Stamm, Daniel Veditz, Tanvi Vyas, Matt Wobensmith and Kathleen Wilson.
Security Engineering is led by Wennie Leung. Work is divided between these main teams:
* Privacy and Security Engineering: website & browser security features ([[Security/Contextual_Identity_Project/Containers|Containers]], [[CloudServices/Password_Manager|Password Manager]], etc.), DOM security ([[Security/CSP|CSP]], [[Security/Subresource_Integrity|SRI]], Cookies, [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]], origin, etc), Content Blocking ([[Security/Safe Browsing|Safe Browsing]], [[Security/Application_Reputation|Download Protection]] and [[Security/Tracking_protection|Tracking Protection]]), [[Security/Features/Revamp_Security_Hooks|revamp of security hooks]], [[Security/Tor_Uplift/Tracking|Tor Uplift]] and [[Security/Sandbox/Hardening|Sandbox Hardening]].
* [[Security/CryptoEngineering|Communications security]] (Lead:[https://mozillians.org/en-US/u/jcjones/ JC Jones]): TLS stack, communications security, WebCrypto, [[PSM:Topics|PSM]], [[NSS]], [[SecurityEngineering/TLS_Error_Reports|Error Reporting]] and OneCRL
* Defensive Security Engineering (Lead: Tom Ritter): implementing changes to Firefox that improve our security posture.
* [[CA:Overview|Mozilla's CA Certificate Program]] (Program Manager: [https://mozillians.org/en-US/u/kwilson/ Kathleen Wilson])
 
To connect with us directly, you can our contact details on [https://mozillians.org/en-US/group/securityengineeringstaff/ Mozillians].


==How We Work==
==How We Work==
Line 18: Line 24:
* Evangelize what we do
* Evangelize what we do


For more details, check out our [[SecurityEngineering/Strategy|strategy]] and [[SecurityEngineering/2015/Q2Goals|2015 Q2 Goals]].
For more details, check out our [[SecurityEngineering/Strategy|strategy]].


==Major Efforts==
==What we work on==
The core security guarantee of the web is that it’s safe to browse.  You can run a web browser and connect to any web server on the planet, and whatever that server sends you, it won’t be able to harm you.


{|class="wikitable"
Delivering on this promise requires many layers of assurance:
| [[Security/Tracking_protection|Tracking Protection]]
* That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited. 
| Lead: [[User:Fmarier|Francois Marier]]
* That the browser is protecting web content as it’s delivered over the network.
|-
* That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
| [[Phishing_Protection|Safe Browsing]] and [[Security/Features/Application_Reputation|Application Reputation]]
* That we’re providing a user experience that helps people understand the risks and how they can stay safe.
| Lead: [[User:Fmarier|Francois Marier]]
 
|-
For details of our projects in these four areas, see the [[Security/Roadmap|security roadmap]].
| [[Security/Sandbox|Sandboxing]]
| Lead: Bob Owen
|-
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| Lead: Tanvi Vyas
|-
| [[Security/CSP|Content Security Policy]]
| Leads: Christoph Kerschbaumer and Sid Stamm
|-
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| Lead: Christoph Kerschbaumer
|-
| Meta Referrer
| Lead: Sid Stamm
|-
| [[Security/Features/Subresource_Integrity|Sub-resource Integrity]]
| Lead: [[User:Fmarier|Francois Marier]]
|-
| [[CloudServices/Password_Manager|Password Manager]]
| Lead: Tanvi Vyas
|-
| Add-on signing
| Lead: Daniel Veditz
|}


==How to participate==
==How to participate==
'''Discuss:''' We hang out on #security on [http://irc.mozilla.org irc.mozilla.org], and our primary mailing list is mozilla.dev.security.  Milestone reviews and other meetings will be announced on mozilla.dev.security.
'''Discuss:''' We hang out on #security and #contentsecurity on [http://irc.mozilla.org irc.mozilla.org], and our primary mailing list is [https://www.mozilla.org/en-US/about/forums/#dev-security mozilla.dev.security].


'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].


'''Do some reviews:'''
'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
* [https://bugzilla.mozilla.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=seceng%20waiting%20for%20reviews&sharer_id=339203&list_id=7536157 Add "seceng waiting for reviews" to your Bugzilla preferences]
* See our [[SecurityEngineering/CodeReviewGuidelines]]
 
'''Contribute:''' Wanna pitch in, maybe do a project?  Check out [[SecurityEngineering/Projects]] or the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!


== Experimental Things ==
== Experimental Things ==
Line 69: Line 48:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:


* [[Security/Contextual_Identity_Project|Contextual Identity]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[Security/Contextual_Identity_Project/Containers|Containers]], [[Security/Contextual_Identity_Project/Private_Session|private sessions]] and [[Security/Contextual_Identity_Project/User_Profiles|user profiles]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
 
From time to time we make add-ons to try out experimental features.  Here are a few; let us know what you think!
 
* [https://addons.mozilla.org/en-us/firefox/addon/force-tls/ Force-TLS] ([https://code.google.com/p/force-tls/ get the code])
* [https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ User CSP]


==Security Bugs==
==Security Bugs==
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
Fmarier
Confirmed users
908

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1066401...1189301"