SecurityEngineering/2014/Q4Goals: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
Mwobensmith (talk | contribs) |
||
| (8 intermediate revisions by 3 users not shown) | |||
| Line 5: | Line 5: | ||
== Content Security == | == Content Security == | ||
;Outcome: More robust security hooks for better correctness in content security features like CSP, adblock, etc. | ;Outcome: More robust security hooks for better correctness in content security features like CSP, adblock, etc. | ||
;Who: Tanvi, Christoph | ;Who: Tanvi, Christoph, Sid, Francois, Steve | ||
* {{ | * {{risk|Add LoadInfo to Gecko-owned JS callers}} (dri=ckerschb,tanvi) | ||
* {{ | * {{done|Use LoadInfo to implement MCB for HTTP redirects}} (dri=tanvi) | ||
* {{ | * {{done|Implement Next Block of CSP Level 2.0 features}} (dri=sstamm,ckerschb) | ||
** ( | ** Work to fix spec to have child-src directive we want | ||
* {{ | ** Implement form-action directive | ||
** Implement referrer directive (depends on {{bug|704320}}) | |||
** Fix frame-ancestors mapping | |||
** Work to fix spec about blob urls | |||
* {{ok|Initial Implementation of sub-resource integrity}} ({{bug|992096}}) (dri=francois) | |||
== Tracking Protection == | == Tracking Protection == | ||
;Outcome: Better user control (and site control) over metadata on the wire and collected by third parties. | ;Outcome: Better user control (and site control) over metadata on the wire and collected by third parties. | ||
;Who: Sid | ;Who: Sid | ||
* {{ | * {{done|Finish <meta> referrer}} (dri=sid) | ||
== Addon Security == | == Addon Security == | ||
;Outcome: TBD | |||
;Who: Dan Veditz | |||
Goals: | |||
* {{ok|Require signed add-ons (backend)}} See {{bug|1047239}}(dri=dveditz) | |||
== Communications Security == | == Communications Security == | ||
| Line 29: | Line 32: | ||
;Who: Richard, Kathleen, Keeler, Monica, JC, Mark | ;Who: Richard, Kathleen, Keeler, Monica, JC, Mark | ||
* {{ | * {{ok|Add more BR checking}} (some combination of giving errors during path building, wall of shame, console warnings -- tbd) (dri=dkeeler) | ||
* {{ | * {{done|Identify what of Certificate Transparency we must/should deploy}} (dri=rbarnes) | ||
* {{ | * {{done|Complete phase 1 of migration to CA database}} (dri=kwilson) | ||
* {{ | * {{ok|[stretch] Import mozilla::pkix to a branch of NSS}} (dri=jcjones) | ||
* {{ | * {{ok|[stretch] Add ability to name constrain more root CAs}} (dri=dkeeler) | ||
* {{ | * {{done|[stretch] Add security warnings about SHA-1 to Web Console}} (dri=mgoodwin) | ||
* {{ok|OneCRL client implementation}} (dri=mgoodwin) | |||
== QE (tracking) == | == QE (tracking) == | ||
We also track security related QE goals. (section owner=mwobensmith) | We also track security related QE goals. (section owner=mwobensmith) | ||
;Official list : (link TBD) | ;Official list : (link TBD) | ||
* Tool telemetry of SSL errors/over-rides to watch for outliers, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1058812#c42 (dri=matt) | * {{risk|Tool telemetry of SSL errors/over-rides to watch for outliers}}, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1058812#c42 (dri=matt) | ||
* https://lists.mozilla.org/listinfo/dev-telemetry-alerts | ** https://lists.mozilla.org/listinfo/dev-telemetry-alerts | ||
* Setup SSL compatibility testing to be run at the beginning of Beta for each branch. (dri=matt) | * {{done|Setup SSL compatibility testing to be run at the beginning of Beta for each branch.}} (dri=matt) | ||
* Figure out how to take the cert caching into account when running SSL compatibility tests (dri=matt) | * {{done|Figure out how to take the cert caching into account when running SSL compatibility tests}}(dri=matt) | ||
Latest revision as of 21:48, 23 December 2014
This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).
Content Security
- Outcome
- More robust security hooks for better correctness in content security features like CSP, adblock, etc.
- Who
- Tanvi, Christoph, Sid, Francois, Steve
- [AT RISK] Add LoadInfo to Gecko-owned JS callers (dri=ckerschb,tanvi)
- [DONE] Use LoadInfo to implement MCB for HTTP redirects (dri=tanvi)
- [DONE] Implement Next Block of CSP Level 2.0 features (dri=sstamm,ckerschb)
- Work to fix spec to have child-src directive we want
- Implement form-action directive
- Implement referrer directive (depends on bug 704320)
- Fix frame-ancestors mapping
- Work to fix spec about blob urls
- [ON TRACK] Initial Implementation of sub-resource integrity (bug 992096) (dri=francois)
Tracking Protection
- Outcome
- Better user control (and site control) over metadata on the wire and collected by third parties.
- Who
- Sid
- [DONE] Finish <meta> referrer (dri=sid)
Addon Security
- Outcome
- TBD
- Who
- Dan Veditz
Goals:
- [ON TRACK] Require signed add-ons (backend) See bug 1047239(dri=dveditz)
Communications Security
- Outcome
- Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
- Who
- Richard, Kathleen, Keeler, Monica, JC, Mark
- [ON TRACK] Add more BR checking (some combination of giving errors during path building, wall of shame, console warnings -- tbd) (dri=dkeeler)
- [DONE] Identify what of Certificate Transparency we must/should deploy (dri=rbarnes)
- [DONE] Complete phase 1 of migration to CA database (dri=kwilson)
- [ON TRACK] [stretch] Import mozilla::pkix to a branch of NSS (dri=jcjones)
- [ON TRACK] [stretch] Add ability to name constrain more root CAs (dri=dkeeler)
- [DONE] [stretch] Add security warnings about SHA-1 to Web Console (dri=mgoodwin)
- [ON TRACK] OneCRL client implementation (dri=mgoodwin)
QE (tracking)
We also track security related QE goals. (section owner=mwobensmith)
- Official list
- (link TBD)
- [AT RISK] Tool telemetry of SSL errors/over-rides to watch for outliers, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1058812#c42 (dri=matt)
- [DONE] Setup SSL compatibility testing to be run at the beginning of Beta for each branch. (dri=matt)
- [DONE] Figure out how to take the cert caching into account when running SSL compatibility tests(dri=matt)