MozillaWiki

SecurityEngineering: Difference between revisions

Page Discussion

SecurityEngineering (view source)

Revision as of 21:54, 21 February 2018

8 bytes removed ,  21 February 2018
→‎Experimental Things: containers are no longer experimental
m (→‎Major Efforts: fix Safe Browsing link)
(→‎Experimental Things: containers are no longer experimental)
 
(27 intermediate revisions by 6 users not shown)
Line 7: Line 7:


==Who is involved==
==Who is involved==
Security Engineering is led by Richard Barnes and Steve Workman, and mainly driven by Mark Goodwin, Dave Huseby, JC Jones, Kamil Jozwiak, David Keeler, Christoph Kerschbaumer, Franziskus Kiefer, [[User:Fmarier|Francois Marier]], Kate McKinley, Tim Taubert, Daniel Veditz, Tanvi Vyas, Kathleen Wilson and Matt Wobensmith.
Security Engineering is led by Wennie Leung. Work is divided between these main teams:
* Privacy and Security Engineering: website & browser security features ([[Security/Contextual_Identity_Project/Containers|Containers]], [[CloudServices/Password_Manager|Password Manager]], etc.), DOM security ([[Security/CSP|CSP]], [[Security/Subresource_Integrity|SRI]], Cookies, [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]], origin, etc), Content Blocking ([[Security/Safe Browsing|Safe Browsing]], [[Security/Application_Reputation|Download Protection]] and [[Security/Tracking_protection|Tracking Protection]]), [[Security/Features/Revamp_Security_Hooks|revamp of security hooks]], [[Security/Tor_Uplift/Tracking|Tor Uplift]] and [[Security/Sandbox/Hardening|Sandbox Hardening]].
* [[Security/CryptoEngineering|Communications security]] (Lead:[https://mozillians.org/en-US/u/jcjones/ JC Jones]): TLS stack, communications security, WebCrypto, [[PSM:Topics|PSM]], [[NSS]], [[SecurityEngineering/TLS_Error_Reports|Error Reporting]] and OneCRL
* Defensive Security Engineering (Lead: Tom Ritter): implementing changes to Firefox that improve our security posture.
* [[CA:Overview|Mozilla's CA Certificate Program]] (Program Manager: [https://mozillians.org/en-US/u/kwilson/ Kathleen Wilson])
 
To connect with us directly, you can our contact details on [https://mozillians.org/en-US/group/securityengineeringstaff/ Mozillians].


==How We Work==
==How We Work==
Line 18: Line 24:
* Evangelize what we do
* Evangelize what we do


For more details, check out our [[SecurityEngineering/Strategy|strategy]] and [[SecurityEngineering/2015/Q2Goals|2015 Q2 Goals]].
For more details, check out our [[SecurityEngineering/Strategy|strategy]].


==Major Efforts==
==What we work on==
The core security guarantee of the web is that it’s safe to browse.  You can run a web browser and connect to any web server on the planet, and whatever that server sends you, it won’t be able to harm you.


{|class="wikitable"
Delivering on this promise requires many layers of assurance:
|-
* That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited. 
| Add-on signing
* That the browser is protecting web content as it’s delivered over the network.
| Daniel Veditz
* That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
|-
* That we’re providing a user experience that helps people understand the risks and how they can stay safe.
| [[Security/Application_Reputation|Application Reputation]]
 
| [[User:Fmarier|Francois Marier]]
For details of our projects in these four areas, see the [[Security/Roadmap|security roadmap]].
|-
| [[CA:Overview|CA Program]]
| Kathleen Wilson
|-
| [[Security/CSP|Content Security Policy]]
| Christoph Kerschbaumer
|-
| [[Security/TLS_Error_Reporting|Error Reporting]]
| Mark Goodwin
|-
| Meta Referrer
|
|-
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| Tanvi Vyas
|-
| [[Security/OneCRL|OneCRL]]
| Mark Goodwin
|-
| [[CloudServices/Password_Manager|Password Manager]]
| Tanvi Vyas
|-
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| Christoph Kerschbaumer
|-
| [[Security/Safe Browsing|Safe Browsing]]
| [[User:Fmarier|Francois Marier]]
|-
| [[Security/Subresource_Integrity|Sub-resource Integrity]]
| [[User:Fmarier|Francois Marier]]
|-
| [https://docs.google.com/spreadsheets/d/1rF4Gah_OEequYDfPedoQu3oETM5Gj4NagxDuKQG-IOk/edit?pli=1#gid=0 Tor bugs]
| Dave Huseby
|-
| [[Security/Tracking_protection|Tracking Protection]]
| [[User:Fmarier|Francois Marier]]
|}


==How to participate==
==How to participate==
Line 71: Line 41:


'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Do some reviews:'''
* [https://bugzilla.mozilla.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=seceng%20waiting%20for%20reviews&sharer_id=339203&list_id=7536157 Add "seceng waiting for reviews" to your Bugzilla preferences]
* See our [[SecurityEngineering/CodeReviewGuidelines]]


'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
Line 82: Line 48:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:


* [[Security/Contextual_Identity_Project|Contextual Identity]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[Security/Contextual_Identity_Project/Containers|Containers]], [[Security/Contextual_Identity_Project/Private_Session|private sessions]] and [[Security/Contextual_Identity_Project/User_Profiles|user profiles]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
From time to time we make add-ons to try out experimental features.  Here are a few; let us know what you think!
* [https://addons.mozilla.org/en-us/firefox/addon/force-tls/ Force-TLS] ([https://code.google.com/p/force-tls/ get the code])
* [https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ User CSP]


==Security Bugs==
==Security Bugs==
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
Fmarier
Confirmed users
908

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1112942...1189301"