SecurityEngineering/2015/Q1Goals: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
__NOTOC__ | __NOTOC__ | ||
== Content Security == | == Content Security == | ||
* {{ | * {{done|Warn users about insecure password fields in Dev Edition/Aurora.}} (dri=tanvi) | ||
** Figure out if we can display an in-your-face warning for passwords on HTTP pages in Aurora | ** [done] Figure out if we can display an in-your-face warning for passwords on HTTP pages in Aurora | ||
** Figure out if we can turn this preference on for Polaris (if not today, then someday in the future) | ** [defer] Figure out if we can turn this preference on for Polaris (if not today, then someday in the future) | ||
** Get UX help to design the warning | ** [done] Get UX help to design the warning | ||
** Start implementing | ** [started] Start implementing | ||
* {{ | * {{done|REVAMP: Finalize LoadInfo patches for JS/C++ gecko channels .}} (dri=ckerschb) | ||
* {{ | * {{done|REVAMP: Start implementing the LoadInfo shim for addons.}} (dri=ckerschb) | ||
* {{ | * {{done|CSP: Prototype CSP devtool that provides suggested policy for page.}} (dri=ckerschb) | ||
* {{new|Land SRI with style support.}} (dri=francois) | * {{new|Land SRI with style support.}} (dri=francois) | ||
* {{ | * {{defer|Propose an approach for adding reporting to SRI.}} (dri=francois) | ||
== Tracking Protection == | == Tracking Protection == | ||
* {{ | * {{defer|Get TP UI enabled in Nightly/Aurora to check webcompat, shake out bugs etc.}} (dri=mmc) | ||
* {{ | * {{done|Review Referrer Policy.}} (dri=mmc/sid) | ||
* {{ | * {{drop|Start experimenting with Containers for Contextual Identity.}} (dri=mmc) | ||
* {{ | * {{done|Tor bugs.}} (dri=sid) | ||
* {{done|Blog post for meta referrer.}} (dri=Sid) | * {{done|Blog post for meta referrer.}} (dri=Sid) | ||
== Addon Security == | == Addon Security == | ||
* Mechanism for enforcing signed-by-AMO addons in 38. Whether enabled or not depends on readiness in other parts. | * [Fx39 as warning, Fx40 as blocking] Mechanism for enforcing signed-by-AMO addons in 38. Whether enabled or not depends on readiness in other parts. | ||
== Communications Security == | == Communications Security == | ||
* {{ | * {{done|Name constraints on root CAs}} (dri=jones) | ||
* {{ | * {{ok|OneCRL based on (subject, public key)}} (dri=mgoodwin) | ||
* {{ | * {{done|Automate pinging CAs for current audit statements}} (dri=wilson) | ||
* {{ | * {{done|Finish removing / turning off 1024-bit roots}} (dri=wilson) -- Second Group in FF 36, Final group in FF 38. | ||
** Telemetry for verification success by root: http://mzl.la/1Kjn18h | ** Telemetry for verification success by root: http://mzl.la/1Kjn18h | ||
** Telemetry dashboard for verification success and pinning failures by root: https://people.mozilla.org/~dkeeler/ca-telemetry-dashboard/ | ** Telemetry dashboard for verification success and pinning failures by root: https://people.mozilla.org/~dkeeler/ca-telemetry-dashboard/ | ||
* {{ | * {{done|Initial certificate/CA observatory}} (dri=keeler) | ||
** https://people.mozilla.org/~dkeeler/dashboard/ | ** https://people.mozilla.org/~dkeeler/dashboard/ | ||
== QE (tracking) == | == QE (tracking) == | ||
* {{ | * {{drop|Monitor high risk telemetry security probes via the medusa alerting system in m-c}} (dri=kamil) | ||
* {{ | * {{drop|Use the Telemetry prototype to create graphs/monitor high risk security probes via Aurora and BETA.}} (dri=kamil) | ||
* {{ | * {{drop|Create a smoke-level Marionette test for SSL compatibility to be run on Mozmill-CI}} (dri=mwobensmith) | ||
* {{ | * {{drop|Create and stage a web-based SSL site compat tool}} (dri=mwobensmith) | ||
Revision as of 21:07, 31 March 2015
Content Security
- [DONE] Warn users about insecure password fields in Dev Edition/Aurora. (dri=tanvi)
- [done] Figure out if we can display an in-your-face warning for passwords on HTTP pages in Aurora
- [defer] Figure out if we can turn this preference on for Polaris (if not today, then someday in the future)
- [done] Get UX help to design the warning
- [started] Start implementing
- [DONE] REVAMP: Finalize LoadInfo patches for JS/C++ gecko channels . (dri=ckerschb)
- [DONE] REVAMP: Start implementing the LoadInfo shim for addons. (dri=ckerschb)
- [DONE] CSP: Prototype CSP devtool that provides suggested policy for page. (dri=ckerschb)
- [NEW] Land SRI with style support. (dri=francois)
- [DEFER] Propose an approach for adding reporting to SRI. (dri=francois)
Tracking Protection
- [DEFER] Get TP UI enabled in Nightly/Aurora to check webcompat, shake out bugs etc. (dri=mmc)
- [DONE] Review Referrer Policy. (dri=mmc/sid)
- [DROPPED] Start experimenting with Containers for Contextual Identity. (dri=mmc)
- [DONE] Tor bugs. (dri=sid)
- [DONE] Blog post for meta referrer. (dri=Sid)
Addon Security
- [Fx39 as warning, Fx40 as blocking] Mechanism for enforcing signed-by-AMO addons in 38. Whether enabled or not depends on readiness in other parts.
Communications Security
- [DONE] Name constraints on root CAs (dri=jones)
- [ON TRACK] OneCRL based on (subject, public key) (dri=mgoodwin)
- [DONE] Automate pinging CAs for current audit statements (dri=wilson)
- [DONE] Finish removing / turning off 1024-bit roots (dri=wilson) -- Second Group in FF 36, Final group in FF 38.
- Telemetry for verification success by root: http://mzl.la/1Kjn18h
- Telemetry dashboard for verification success and pinning failures by root: https://people.mozilla.org/~dkeeler/ca-telemetry-dashboard/
- [DONE] Initial certificate/CA observatory (dri=keeler)
QE (tracking)
- [DROPPED] Monitor high risk telemetry security probes via the medusa alerting system in m-c (dri=kamil)
- [DROPPED] Use the Telemetry prototype to create graphs/monitor high risk security probes via Aurora and BETA. (dri=kamil)
- [DROPPED] Create a smoke-level Marionette test for SSL compatibility to be run on Mozmill-CI (dri=mwobensmith)
- [DROPPED] Create and stage a web-based SSL site compat tool (dri=mwobensmith)