Security/CryptoEngineering: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(→‎Web Authentication: update dates)
(correct outdated info, link to preloading)
Line 16: Line 16:
NSS is the cryptography and transport security library that powers Firefox.
NSS is the cryptography and transport security library that powers Firefox.


* 2018 Q1: Rework TLS session caching to permit better privacy controls
* 2018 Q1: Improve confidence in network-facing ASN.1 parsing


== PSM ==
== PSM ==
PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.
PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.


* 2018 Q1: Move error-string formatting for our error pages into the front-end JavaScript
* [[Security/CryptoEngineering/Intermediate Preloading|Intermediate Preloading]]
* 2018 Q2: Retool the "See more" sections of error pages using JavaScript to provide more help
* 2018 Q3: Continue work on our Certificate Transparency implementation and test infrastructure


== Web Authentication ==
== Web Authentication ==
Password authentication is known to be a security liability on the Web. The [https://www.w3.org/TR/webauthn/ W3C Web Authentication Working Group is developing a specification] for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.
Password authentication is known to be a security liability on the Web. The [https://www.w3.org/TR/webauthn/ W3C Web Authentication Working Group is developing a specification] for using Scoped Credentials to supplement or replace passwords. Mozilla intends to continue supporting the Web Authentication (WebAuthn) specification.


* 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
==== Useful testing sites ====
** You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
* 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
** [https://groups.google.com/d/msg/mozilla.dev.platform/F0rCRF8z87E/CPh7dIJ9BQAJ Intent to Implement Announcement]
** [https://lists.w3.org/Archives/Public/public-webauthn/2017Jan/0083.html Ready For Experiment Announcement]
* 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. [https://github.com/jcjones/u2f-hid-rs/ rust u2f-hid-rs library]
* 2017 Q2-3: Integrate '''USB HID U2F hardware support''' into Firefox.
** Done in '''Firefox 57'''.
* 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
** Done in '''Firefox 56'''
* 2017 Q3: Integrate hardware support with the '''FIDO U2F v1.1 JS API'''
** Done in '''Firefox 57'''.
* 2017 September: Interoperability testing for WebAuthn.
** Done.
* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
** [https://bugzilla.mozilla.org/show_bug.cgi?id=1384776 Bug 1384776]
* 2019: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
** [https://github.com/jcjones/u2f-hid-rs/issues/33 u2f-hid-rs Issue #33]
* 2019: Support U2F hardware for Firefox for Android.
** [https://github.com/jcjones/u2f-hid-rs/issues/42 u2f-hid-rs Issue #42]


All of the above dates are for landing in Firefox Nightly.
Web Authentication:
 
* https://webauthn.bin.coffee/
'''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in '''Firefox 57'''), and Web Authentication (on by default) in Firefox 59 or 60. (See [[RapidRelease/Calendar]])
* https://webauthn.io/
 
* https://webauthndemo.appspot.com/
=== Using U2F / WebAuthn ===
* https://demo.yubico.com/webauthn/
 
WebAuthn is enabled by default. To enable U2F as well, enable this preference in '''about:config''':
* security.webauth.u2f
 
Enabling debugging (example for OSX):
 
  MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox
 
Enabling the soft token:
 
In '''about:config''' enable:
* security.webauth.webauthn_enable_softtoken
 
This currently stops the use of USB tokens, as the soft token always answers first. To see its code, check https://searchfox.org/mozilla-central/source/dom/webauthn/U2FSoftTokenManager.cpp#151.
 
==== Useful testing sites ====


U2F:
U2F (behind a pref, experimental, not released):
* https://u2fdemo.appspot.com/
* https://u2fdemo.appspot.com/
* https://github.com/
* https://github.com/
* https://u2f.bin.coffee/
* https://u2f.bin.coffee/
* https://demo.yubico.com/u2f
* https://demo.yubico.com/u2f
Web Authentication:
* https://webauthn.bin.coffee/
* https://webauthn.io/
It does not work on Facebook or Google Accounts; there are issues beyond browser detection that haven't been analyzed yet.
=== WD-07 Updates ===
<bugzilla>
    {
        "component":"DOM: Device Interfaces",
        "whiteboard":"webauthn-wd07",
        "include_fields": "id, summary, status, assigned_to, whiteboard, last_change_time"
    }
</bugzilla>
=== All WebAuthn Tracked Bugs ===
<bugzilla>
    {
        "component":"DOM: Device Interfaces",
        "status":["UNCONFIRMED", "NEW", "ASSIGNED", "REOPENED"],
        "whiteboard":"webauthn",
        "include_fields": "id, summary, status, assigned_to, whiteboard, last_change_time"
    }
</bugzilla>
== DOM Security ==
* 2017 Q2: Enable [https://wicg.github.io/hsts-priming/ HSTS Priming] in Firefox Beta
* 2017 Q2: Update our Mixed Content Blocking implementation to the [https://www.w3.org/TR/mixed-content/ W3C Candidate Recommendation]
* 2017 Q3: Release paper on HSTS Priming approach

Revision as of 20:46, 4 March 2019

Last Updated: 7 Sept 2017

Mission: Use modern cryptography to improve the security and privacy of Firefox

Protect Firefox users on the Internet through up-to-date cryptographic protocols

  • Maintain the cryptography and transport security library that powers Firefox, NSS
  • Enforce the technical policies of the Mozilla CA Certificate Program
  • Lead the adoption of cryptographic technologies to improve security throughout Firefox

Crypto Engineering Projects

Our team's major projects are broken down by module:

NSS

NSS is the cryptography and transport security library that powers Firefox.


PSM

PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.

Web Authentication

Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to continue supporting the Web Authentication (WebAuthn) specification.

Useful testing sites

Web Authentication:

U2F (behind a pref, experimental, not released):

Retrieved from "https://wiki.allizom.org/index.php?title=Security/CryptoEngineering&oldid=1208440"