SecurityEngineering: Difference between revisions

→‎Experimental Things: containers are no longer experimental
(→‎Who is involved: Ypdate CryptoEng)
(→‎Experimental Things: containers are no longer experimental)
 
(6 intermediate revisions by 3 users not shown)
Line 7: Line 7:


==Who is involved==
==Who is involved==
Security Engineering is led by [https://mozillians.org/en-US/u/rbarnes/ Richard Barnes] and [https://mozillians.org/en-US/u/sdeckelmann/ Selena Deckelmann]. Work is divided between these main teams:
Security Engineering is led by Wennie Leung. Work is divided between these main teams:
* Content Security Team (Lead: [https://mozillians.org/en-US/u/pauljt/ Paul Theriault]): website & browser security features, DOM security (CSP, SRI, Cookies, origin etc), Content Blocking (safe browsing, download protection) and sandboxing.
* Privacy and Security Engineering: website & browser security features ([[Security/Contextual_Identity_Project/Containers|Containers]], [[CloudServices/Password_Manager|Password Manager]], etc.), DOM security ([[Security/CSP|CSP]], [[Security/Subresource_Integrity|SRI]], Cookies, [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]], origin, etc), Content Blocking ([[Security/Safe Browsing|Safe Browsing]], [[Security/Application_Reputation|Download Protection]] and [[Security/Tracking_protection|Tracking Protection]]), [[Security/Features/Revamp_Security_Hooks|revamp of security hooks]], [[Security/Tor_Uplift/Tracking|Tor Uplift]] and [[Security/Sandbox/Hardening|Sandbox Hardening]].
* [[Security/CryptoEngineering|Communications security]] (Lead:[https://mozillians.org/en-US/u/jcjones/ JC Jones]): TLS stack, communications security, WebCrypto, [[PSM:Topics|PSM]], [[NSS]]
* [[Security/CryptoEngineering|Communications security]] (Lead:[https://mozillians.org/en-US/u/jcjones/ JC Jones]): TLS stack, communications security, WebCrypto, [[PSM:Topics|PSM]], [[NSS]], [[SecurityEngineering/TLS_Error_Reports|Error Reporting]] and OneCRL
* Fuzzing (Lead:[https://mozillians.org/en-US/u/abillings/ Al Billings])
* Defensive Security Engineering (Lead: Tom Ritter): implementing changes to Firefox that improve our security posture.
* [[CA:Overview|Mozilla's CA Certificate Program]] (Program Manager: [https://mozillians.org/en-US/u/kwilson/ Kathleen Wilson])


To connect with us directly, you can our contact details on [https://mozillians.org/en-US/group/securityengineeringstaff/ Mozillians].
To connect with us directly, you can our contact details on [https://mozillians.org/en-US/group/securityengineeringstaff/ Mozillians].
Line 35: Line 36:


For details of our projects in these four areas, see the [[Security/Roadmap|security roadmap]].
For details of our projects in these four areas, see the [[Security/Roadmap|security roadmap]].
==Current Efforts==
'''Content Security'''
{|class="wikitable"
! Topic
! Engineering Contact
! QA Contact
|-
| [[Security/Application_Reputation|Application Reputation]]
| [[User:Fmarier|Francois Marier]]
|
|-
|-
| [[Security/Contextual_Identity_Project/Containers|Containers]]
| Tanvi Vyas
| Kamil Jozwiak
|-
| [[Security/CSP|Content Security Policy]]
| Christoph Kerschbaumer
|
|-
| Meta Referrer
|
|
|-
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| Tanvi Vyas
|
|-
| [[CloudServices/Password_Manager|Password Manager]]
| Tanvi Vyas
| Kamil Jozwiak / SoftVision
|-
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| Christoph Kerschbaumer
|
|-
| [[Security/Safe Browsing|Safe Browsing]]
| [[User:Fmarier|Francois Marier]]
|
|-
| [[Security/Subresource_Integrity|Sub-resource Integrity]]
| [[User:Fmarier|Francois Marier]]
|
|-
| [[Security/Tor_Uplift/Tracking|Tor Uplift]]
| Ethan Tseng / Tom Ritter
| Cynthia Tang / Kamil Jozwiak
|-
| [[Security/Tracking_protection|Tracking Protection]]
| [[User:Fmarier|Francois Marier]]
|
|-
| [[Security/Sandbox/Hardening|Sandbox Hardening]]
| [[User:Ptheriault|Paul Theriault]]
|
|}
'''Communications Security'''
{|class="wikitable"
! Topic
! Engineering Contact
! QA Contact
|-
| Add-on signing
| Daniel Veditz
|
|-
| [[CA:Overview|CA Program]]
| Kathleen Wilson
|
|-
| [[Security/TLS_Error_Reporting|Error Reporting]]
| Mark Goodwin
| Matt Wobensmith
|-
| [[Security/OneCRL|OneCRL]]
| Mark Goodwin
| Matt Wobensmith
|}


==How to participate==
==How to participate==
Line 123: Line 41:


'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Follow our work:''' To see our current progress against features please see the [https://blog.mozilla.org/security/ Mozilla Security Blog].
'''Do some reviews:'''
* [https://bugzilla.mozilla.org/buglist.cgi?cmdtype=dorem&remaction=run&namedcmd=seceng%20waiting%20for%20reviews&sharer_id=339203&list_id=7536157 Add "seceng waiting for reviews" to your Bugzilla preferences]
* See our [[SecurityEngineering/CodeReviewGuidelines]]


'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
'''Contribute:''' Wanna pitch in, maybe do a project?  Check out the [https://bugzil.la/sw:%5Bgood%20first%20bug%5D%20security good first bugs list] and if one interests you, contact us!
Line 134: Line 48:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:
We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:


* [[Security/Contextual_Identity_Project|Contextual Identity]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[Security/Foreign_Certificate_Warning|Foreign Certificate Warning]]
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[CloudServices/Password_Manager/Master_Password|Master Password]] in the Password Manager
* [[Security/Contextual_Identity_Project/Private_Session|private sessions]] and [[Security/Contextual_Identity_Project/User_Profiles|user profiles]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
* [[Security/Automatic_Private_Browsing_Upgrades|Automatic Private Browsing Upgrades]]
From time to time we make add-ons to try out experimental features.  Here are a few; let us know what you think!
* [https://addons.mozilla.org/en-us/firefox/addon/force-tls/ Force-TLS] ([https://code.google.com/p/force-tls/ get the code])
* [https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/ User CSP]


==Security Bugs==
==Security Bugs==
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers
Confirmed users
908

edits