SecurityEngineering/2014/Q2Goals: Difference between revisions
Jump to navigation
Jump to search
(Created page with "__NOTOC__ This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy). (Also linked from [[Platform/2014-Q2-Goals#S...") |
|||
| (9 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
;Outcome: Faster, more correct web platform security feature/tool roll-out (plus, easier maintenance!) | ;Outcome: Faster, more correct web platform security feature/tool roll-out (plus, easier maintenance!) | ||
;Who: tanvi, ckerschb, grobinson, sstamm, rbarnes | ;Who: tanvi, ckerschb, grobinson, sstamm, rbarnes | ||
* {{ | * {{done|Consult/Research: plan out replacement for nsIContentPolicy and start executing (the Sicking project)}} [dri=tanvi, a=ckerschb] [https://tbpl.mozilla.org/?tree=Try&rev=3eaa860948cd Try Run] | ||
* {{done|Implement: Make new CSP parser on by default in nightly}} {{bug|925004}} [dri=ckerschb, a=grobinson,sstamm] | |||
* {{ | * {{done|Implement: Land WebCrypto}} [dri=rbarnes] {{Bug|865789}} | ||
* {{ | |||
==Secure Client Platform== | ==Secure Client Platform== | ||
;Outcome: incremental progress towards containing unprivileged code to mimize risk due to vulnerabilities | ;Outcome: incremental progress towards containing unprivileged code to mimize risk due to vulnerabilities | ||
;Who: bobowen, sstamm, tabraldes | ;Who: bobowen, sstamm, tabraldes | ||
* {{ | * {{miss|Get open.h264 plugin sandboxed on windows}} [dri=sstamm, a=tabraldes] (not done with reviews, close) | ||
* {{ | * {{drop|Get some tests on TBPL running with sandbox}} [dri=bobowen, a=sstamm,tabraldes] (Dropped due to complications in getting even e10s in windows running on TBPL, in favor of warn-only mode goal below) | ||
* {{miss|Create warn-only mode for sandbox in windows builds so developers can see what *will* break before it does}} [dri=bobowen, a=sstamm] (needs review and landing, close) | |||
== Secure Communications:== | == Secure Communications:== | ||
;Outcome: More correct cert validation and way to detect MITM of at least one site (via pinning) | ;Outcome: More correct cert validation and way to detect MITM of at least one site (via pinning) | ||
;Who: keeler, cviecco, mmc, kathleen | ;Who: keeler, cviecco, mmc, kathleen | ||
* {{ | * {{done| Land key pinning}} [dri=cviecco, a=keeler,mmc] | ||
* {{ | ** Landed, on by default (no sites are in "test-telemetry" mode). Working on enabling more sites next. | ||
* {{ | ** See dashboard: http://people.mozilla.org/~mchew/pinning_dashboard/ | ||
* {{done| mozilla::pkix on by default, (riding the train to) / (targeting a) release}} [dri=keeler, a=cviecco] | |||
* {{defer|BONUS (not required): Deploy UI for cert error reporting}} [dri=grobinson] {{Bug|846489}} | |||
** at risk due no engineer to work on it -- Updated Privacy Policy was published! (http://www.mozilla.org/en-US/privacy/firefox/), unfortunately some links incorrect {{Bug|1006204}} | |||
** Made tons of progress | |||
== Tracking Protection / Privacy== | == Tracking Protection / Privacy== | ||
;Outcome: prepare Lightbeam for user study on tracking protection | ;Outcome: prepare Lightbeam for user study on tracking protection | ||
;Who: mmc, grobinson | ;Who: mmc, grobinson | ||
* {{ | * {{miss| Get through the next 2 releases (1.0.10 (released) and 1.0.11) of Lightbeam: https://github.com/mozilla/lightbeam/issues/milestones towards the goal of conducting a small user study on tracking protection}} [dri=mmc, a=grobinson] | ||
Latest revision as of 19:25, 30 June 2014
This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).
(Also linked from Platform/2014-Q2-Goals#Security_.26_Privacy)
Web Platform Security
- Outcome
- Faster, more correct web platform security feature/tool roll-out (plus, easier maintenance!)
- Who
- tanvi, ckerschb, grobinson, sstamm, rbarnes
- [DONE] Consult/Research: plan out replacement for nsIContentPolicy and start executing (the Sicking project) [dri=tanvi, a=ckerschb] Try Run
- [DONE] Implement: Make new CSP parser on by default in nightly bug 925004 [dri=ckerschb, a=grobinson,sstamm]
- [DONE] Implement: Land WebCrypto [dri=rbarnes] bug 865789
Secure Client Platform
- Outcome
- incremental progress towards containing unprivileged code to mimize risk due to vulnerabilities
- Who
- bobowen, sstamm, tabraldes
- [MISSED] Get open.h264 plugin sandboxed on windows [dri=sstamm, a=tabraldes] (not done with reviews, close)
- [DROPPED] Get some tests on TBPL running with sandbox [dri=bobowen, a=sstamm,tabraldes] (Dropped due to complications in getting even e10s in windows running on TBPL, in favor of warn-only mode goal below)
- [MISSED] Create warn-only mode for sandbox in windows builds so developers can see what *will* break before it does [dri=bobowen, a=sstamm] (needs review and landing, close)
Secure Communications:
- Outcome
- More correct cert validation and way to detect MITM of at least one site (via pinning)
- Who
- keeler, cviecco, mmc, kathleen
- [DONE] Land key pinning [dri=cviecco, a=keeler,mmc]
- Landed, on by default (no sites are in "test-telemetry" mode). Working on enabling more sites next.
- See dashboard: http://people.mozilla.org/~mchew/pinning_dashboard/
- [DONE] mozilla::pkix on by default, (riding the train to) / (targeting a) release [dri=keeler, a=cviecco]
- [DEFER] BONUS (not required): Deploy UI for cert error reporting [dri=grobinson] bug 846489
- at risk due no engineer to work on it -- Updated Privacy Policy was published! (http://www.mozilla.org/en-US/privacy/firefox/), unfortunately some links incorrect bug 1006204
- Made tons of progress
Tracking Protection / Privacy
- Outcome
- prepare Lightbeam for user study on tracking protection
- Who
- mmc, grobinson
- [MISSED] Get through the next 2 releases (1.0.10 (released) and 1.0.11) of Lightbeam: https://github.com/mozilla/lightbeam/issues/milestones towards the goal of conducting a small user study on tracking protection [dri=mmc, a=grobinson]