SecurityEngineering/2014/Q3Goals: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
 
(11 intermediate revisions by 3 users not shown)
Line 9: Line 9:
;Who: Tanvi, Christoph, Garrett, Sid
;Who: Tanvi, Christoph, Garrett, Sid


* {{ok|Gecko Security Hooks: Finish code and debugging for New Channel API, start getting reviews}} (dri=tanvi)
* {{done|Gecko Security Hooks: Finish code and debugging for NS_NewChannel API, start getting reviews.}} See {{bug|1038756}}, {{bug|1006881}} (dri=tanvi)
* {{ok|Gecko Security Hooks: Create plan for addon compatibility}} (dri=tanvi)
* {{defer|Gecko Security Hooks: Create plan for addon compatibility - nothing to do until JS impl is done}} (dri=tanvi)
* {{done|CSP: Remove old JS implementation from mozilla-central}} (dri=sstamm)
* {{done|CSP: Remove old JS implementation from mozilla-central.  Target Fx34.}} See {{bug|994782}} (dri=sstamm)
* {{new|Evangelism: Security Open Mic presentation + blog post about new CSP implementation, maybe again as brown bag.}} (dri=sstamm)
* {{done|Evangelism: Security blog post about new CSP implementation, maybe again as brown bag.}} (dri=sstamm)
* {{ok|''[stretch goal]'' CSP: Fix majority of CSP 1.1 compatibility bugs}} ([https://etherpad.mozilla.org/CSP-1-1 planning etherpad])(dri=ckerschb)
* {{ok|''[stretch goal]'' CSP: Fix majority of CSP 1.1 compatibility bugs.}} See [https://etherpad.mozilla.org/CSP-1-1 planning etherpad] (dri=ckerschb)


== Tracking Protection ==
== Tracking Protection ==
Line 19: Line 19:
;Who: Monica, Garrett, Sid, Georgios
;Who: Monica, Garrett, Sid, Georgios


* {{ok|Referer: Finish implementation of <meta> referrer control with volunteer help}} (dri=sstamm)
* {{risk|Referer: Finish implementation of <meta> referrer control with volunteer help.}}  See {{bug|704320}}, very close. (dri=sstamm)
* {{new|Land first implementation of protection in Fx 33/34 off by default.}} (dri=mmc)
* {{done|Land backend and bridge code for first implementation of protection in Fx 33/34 off by default. BONUS: landed frontend code too}} (dri=mmc)


== Communications Security ==
== Communications Security ==
Line 26: Line 26:
;Who: Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica
;Who: Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica


* {{ok|SSL Error Reporting finish first implementation of ssl error reporting feature.}} (dri=grobinson)
* {{done|SSL Error Reporting finish first implementation of ssl error reporting feature.}} (dri=mgoodwin)
* {{ok|HPKP - implement pinning http header}} (dri=cviecco)
* {{done|HPKP - implement pinning http header}} (dri=cviecco)
* {{ok| Update roadmap for Cert Revocation improvements}} (dri=rbarnes)
* {{done| Update [[CA:RevocationPlan|roadmap for Cert Revocation improvements]]}} (dri=rbarnes)
* {{done| Create a mechanism to provision phones with an alternate cert}} (dri=mgoodwin)
* {{done| Create a mechanism to provision phones with an alternate cert}} (dri=mgoodwin)
* {{ok| Add measurement/enforcement of compliance with CABF Baseline Requirements}} (dri=keeler)
* {{done| Add measurement/enforcement of compliance with CABF Baseline Requirements}}. See {{bug|1050546}} (dri=keeler)
* {{ok| Create a tool for testing CA certificate compliance and EV-readiness}} (dri=keeler)
* {{done| Create a tool for testing CA certificate compliance and EV-readiness}}. See {{bug|926599}} and {{bug|1029095}} (dri=keeler)
* {{ok| Add support for key wrap/unwrap and ECC in WebCrypto}} (dri=rbarnes)
* {{done| Add support for key wrap/unwrap and ECC in WebCrypto}} (dri=rbarnes)
* {{risk| ''[stretch goal]'' Enable revocation of intermediate CAs through block list service}} (dri=harsh, keeler)
* {{defer| ''[stretch goal]'' Enable revocation of intermediate CAs through block list service}} (dri=mgoodwin, keeler)
* {{ok| ''[stretch goal]'' Retire first batch of 1024-bit roots, working towards requiring 2048-bit keys for built-in root certificates}} (dri=kathleen)
* {{done| ''[stretch goal]'' Retire first batch of 1024-bit roots, working towards requiring 2048-bit keys for built-in root certificates}} (dri=kathleen)
* {{ok| ''[stretch goal]'' Get CA Program data into one database}} (dri=kathleen)
* {{defer| ''[stretch goal]'' Get CA Program data into one database}} (dri=kathleen)

Latest revision as of 16:50, 13 October 2014


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

(Also linked from Platform/2014-Q3-Goals#Security_.26_Privacy_Engineering).

Content Security

Outcome
Progress towards more robust security hooks for better correctness in content security features like CSP, adblock, etc.
Who
Tanvi, Christoph, Garrett, Sid
  • [DONE] Gecko Security Hooks: Finish code and debugging for NS_NewChannel API, start getting reviews. See bug 1038756, bug 1006881 (dri=tanvi)
  • [DEFER] Gecko Security Hooks: Create plan for addon compatibility - nothing to do until JS impl is done (dri=tanvi)
  • [DONE] CSP: Remove old JS implementation from mozilla-central. Target Fx34. See bug 994782 (dri=sstamm)
  • [DONE] Evangelism: Security blog post about new CSP implementation, maybe again as brown bag. (dri=sstamm)
  • [ON TRACK] [stretch goal] CSP: Fix majority of CSP 1.1 compatibility bugs. See planning etherpad (dri=ckerschb)

Tracking Protection

Outcome
Better user control (and site control) over metadata on the wire and collected by third parties.
Who
Monica, Garrett, Sid, Georgios
  • [AT RISK] Referer: Finish implementation of <meta> referrer control with volunteer help. See bug 704320, very close. (dri=sstamm)
  • [DONE] Land backend and bridge code for first implementation of protection in Fx 33/34 off by default. BONUS: landed frontend code too (dri=mmc)

Communications Security

Outcome
Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
Who
Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica
  • [DONE] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=mgoodwin)
  • [DONE] HPKP - implement pinning http header (dri=cviecco)
  • [DONE] Update roadmap for Cert Revocation improvements (dri=rbarnes)
  • [DONE] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
  • [DONE] Add measurement/enforcement of compliance with CABF Baseline Requirements. See bug 1050546 (dri=keeler)
  • [DONE] Create a tool for testing CA certificate compliance and EV-readiness. See bug 926599 and bug 1029095 (dri=keeler)
  • [DONE] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
  • [DEFER] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=mgoodwin, keeler)
  • [DONE] [stretch goal] Retire first batch of 1024-bit roots, working towards requiring 2048-bit keys for built-in root certificates (dri=kathleen)
  • [DEFER] [stretch goal] Get CA Program data into one database (dri=kathleen)