|
|
| (19 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| ''Last Updated: 3 Jan 2017'' | | '''Mission''': Use modern cryptography to improve the security and privacy of Firefox |
| | |
| | Protect Firefox users on the Internet through up-to-date cryptographic protocols |
| | |
| | * Maintain the cryptography and transport security library that powers Firefox, [[NSS]] |
| | * Enforce the technical policies of the Mozilla [[CA|CA Certificate Program]] |
| | * Lead the adoption of cryptographic technologies to improve security throughout Firefox |
|
| |
|
| = Crypto Engineering Projects = | | = Crypto Engineering Projects = |
| Line 8: |
Line 14: |
| NSS is the cryptography and transport security library that powers Firefox. | | NSS is the cryptography and transport security library that powers Firefox. |
|
| |
|
| * 2017 Q2: [[NSS/Demos|[MWOS] Add new NSS demonstration code]] to show how to use NSS in a modern way.
| |
| * 2017 Q2: [[NSS/ARGON2|[MWOS] Implement Argon2]] to provide a basis to modernize the Master Password in Firefox.
| |
| * 2017 Q2: Implement hardware crypto accelerations on OSX and ARM
| |
| * 2017 Q3: [[NSS/BoGo_Tests|Integrate BoGo's integration tests into NSS builds]].
| |
| ** The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
| |
| * 2017 Q4: Post-Quantum Research and Development.
| |
| ** Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.
| |
|
| |
|
| == PSM == | | == PSM == |
| PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure. | | PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure. |
|
| |
|
| * 2016 Q4 / 2017 Q1: Re-architect PSM/NSS interaction to eliminate shutdown crashes. | | * [[Security/CryptoEngineering/Intermediate Preloading|Intermediate Preloading]] |
| ** The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
| | * [https://bugzilla.mozilla.org/show_bug.cgi?id=1464828 OS-supplied Data at Rest Protections] |
| ** Details here: [[Security/CryptoEngineering/Platform Use of NSS|Platform Use of NSS]]
| |
| * 2017 Q2: Speed up TLS handshakes | |
| * 2017 Q2: Continue work on our Certificate Transparency implementation and test infrastructure
| |
| * 2017 Q3: Move error-string formatting for our error pages into the front-end JavaScript
| |
| * 2017 Q3: Retool the "See more" sections of error pages using JavaScript to provide more help
| |
|
| |
|
| == Web Authentication == | | == Web Authentication == |
| Password authentication is known to be a security liability on the Web. The [https://www.w3.org/TR/webauthn/ W3C Web Authentication Working Group is developing a specification] for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.
| | See [[Security/Web Authentication]] |
| | |
| * 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
| |
| ** You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
| |
| * 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
| |
| ** [https://groups.google.com/d/msg/mozilla.dev.platform/F0rCRF8z87E/CPh7dIJ9BQAJ Intent to Implement Announcement]
| |
| ** [https://lists.w3.org/Archives/Public/public-webauthn/2017Jan/0083.html Ready For Experiment Announcement]
| |
| * 2017 Q2: Support USB HID U2F devices on Linux.
| |
| * 2017 Q2: Integrate USB HID U2F devices with the WebAuthn JS API.
| |
| * 2017 Q2: Support USB HID U2F devices on Mac OS X.
| |
| * 2017 Q2: Support USB HID U2F devices on Windows.
| |
| * 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
| |
| * 2017 (sometime): Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
| |
| * 2017 (sometime): Support WebAuthn for mobile Firefox.
| |
| * 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
| |
| | |
| All of the above dates are for landing in Firefox Nightly.
| |
| | |
| '''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57, and Web Authentication (on by default) in Firefox 57 or 58. (See [[RapidRelease/Calendar]])
| |
| | |
| == DOM Security ==
| |
| * 2017 Q2: Enable [https://wicg.github.io/hsts-priming/ HSTS Priming] in Firefox Beta
| |
| * 2017 Q2: Update our Mixed Content Blocking implementation to the [https://www.w3.org/TR/mixed-content/ W3C Candidate Recommendation]
| |
| * 2017 Q3: Release paper on HSTS Priming approach
| |
Mission: Use modern cryptography to improve the security and privacy of Firefox
Protect Firefox users on the Internet through up-to-date cryptographic protocols
- Maintain the cryptography and transport security library that powers Firefox, NSS
- Enforce the technical policies of the Mozilla CA Certificate Program
- Lead the adoption of cryptographic technologies to improve security throughout Firefox
Crypto Engineering Projects
Our team's major projects are broken down by module:
NSS is the cryptography and transport security library that powers Firefox.
PSM
PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.
Web Authentication
See Security/Web Authentication