MozillaWiki

SecurityEngineering: Difference between revisions

Page Discussion

SecurityEngineering (view source)

Revision as of 21:54, 21 February 2018

894 bytes removed ,  21 February 2018
→‎Experimental Things: containers are no longer experimental
(Added "what we work on" section.)
(→‎Experimental Things: containers are no longer experimental)
 
(22 intermediate revisions by 6 users not shown)
Line 7: Line 7:


==Who is involved==
==Who is involved==
Security Engineering is led by [https://mozillians.org/en-US/u/rbarnes/ Richard Barnes] and [https://mozillians.org/en-US/u/sworkman/ Steve Workman]. Work is divided between two main teams:
Security Engineering is led by Wennie Leung. Work is divided between these main teams:
* Content Security Team: website & browser security features, DOM security (CSP, SRI, Cookies, origin etc), Content Blocking (safe browsing, download protection)
* Privacy and Security Engineering: website & browser security features ([[Security/Contextual_Identity_Project/Containers|Containers]], [[CloudServices/Password_Manager|Password Manager]], etc.), DOM security ([[Security/CSP|CSP]], [[Security/Subresource_Integrity|SRI]], Cookies, [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]], origin, etc), Content Blocking ([[Security/Safe Browsing|Safe Browsing]], [[Security/Application_Reputation|Download Protection]] and [[Security/Tracking_protection|Tracking Protection]]), [[Security/Features/Revamp_Security_Hooks|revamp of security hooks]], [[Security/Tor_Uplift/Tracking|Tor Uplift]] and [[Security/Sandbox/Hardening|Sandbox Hardening]].
* Communications security: TLS stack, communications security, Crypto APIs, [[PSM:Topics|PSM]]
* [[Security/CryptoEngineering|Communications security]] (Lead:[https://mozillians.org/en-US/u/jcjones/ JC Jones]): TLS stack, communications security, WebCrypto, [[PSM:Topics|PSM]], [[NSS]], [[SecurityEngineering/TLS_Error_Reports|Error Reporting]] and OneCRL
* Defensive Security Engineering (Lead: Tom Ritter): implementing changes to Firefox that improve our security posture.
* [[CA:Overview|Mozilla's CA Certificate Program]] (Program Manager: [https://mozillians.org/en-US/u/kwilson/ Kathleen Wilson])
 
To connect with us directly, you can our contact details on [https://mozillians.org/en-US/group/securityengineeringstaff/ Mozillians].


==How We Work==
==How We Work==
Line 26: Line 30:


Delivering on this promise requires many layers of assurance:
Delivering on this promise requires many layers of assurance:
That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited.   
* That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited.   
That the browser is protecting web content as it’s delivered over the network.
* That the browser is protecting web content as it’s delivered over the network.
That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
* That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
That we’re providing a user experience that helps people understand the risks and how they can stay safe.
* That we’re providing a user experience that helps people understand the risks and how they can stay safe.
 
For more details see our [[Security/Roadmap|security roadmap]].
 


==Major Efforts==
For details of our projects in these four areas, see the [[Security/Roadmap|security roadmap]].
 
{|class="wikitable"
|-
| Add-on signing
| Daniel Veditz
|-
| [[Security/Application_Reputation|Application Reputation]]
| [[User:Fmarier|Francois Marier]]
|-
| [[CA:Overview|CA Program]]
| Kathleen Wilson
|-
| [[Security/Contextual_Identity_Project/Containers|Containers]]
| Tanvi Vyas
|-
| [[Security/CSP|Content Security Policy]]
| Christoph Kerschbaumer
|-
| [[Security/TLS_Error_Reporting|Error Reporting]]
| Mark Goodwin
|-
| Meta Referrer
|
|-
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| Tanvi Vyas
|-
| [[Security/OneCRL|OneCRL]]
| Mark Goodwin
|-
| [[CloudServices/Password_Manager|Password Manager]]
| Tanvi Vyas
|-
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| Christoph Kerschbaumer
|-
| [[Security/Safe Browsing|Safe Browsing]]
| [[User:Fmarier|Francois Marier]]
|-
| [[Security/Subresource_Integrity|Sub-resource Integrity]]
| [[User:Fmarier|Francois Marier]]
|-
| [[Security/Tor_Uplift/Tracking|Tor bugs]]
| Dave Huseby
|-
| [[Security/Tracking_protection|Tracking Protection]]
| [[User:Fmarier|Francois Marier]]
|}


==How to participate==
==How to participate==
Line 88: Line 41:


'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Do some reviews:'''
* [https://bugzilla.mozilla.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=seceng%20waiting%20for%20reviews&sharer_id=339203&list_id=7536157 Add "seceng waiting for reviews" to your Bugzilla preferences]
* See our [[SecurityEngineering/CodeReviewGuidelines]]


'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
Line 99: Line 48:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:


* [[Security/Contextual_Identity_Project|Contextual Identity]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[Security/Contextual_Identity_Project/Private_Session|private sessions]] and [[Security/Contextual_Identity_Project/User_Profiles|user profiles]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
From time to time we make add-ons to try out experimental features.  Here are a few; let us know what you think!
* [https://addons.mozilla.org/en-us/firefox/addon/force-tls/ Force-TLS] ([https://code.google.com/p/force-tls/ get the code])
* [https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ User CSP]


==Security Bugs==
==Security Bugs==
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
Fmarier
Confirmed users
908

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1141787...1189301"