SecurityEngineering: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 40: Line 40:
'''Content Security'''
'''Content Security'''
{|class="wikitable"
{|class="wikitable"
! Topic
! Engineering Contact
! QA Contact
|-
| [[Security/Application_Reputation|Application Reputation]]
| [[Security/Application_Reputation|Application Reputation]]
| [[User:Fmarier|Francois Marier]]
| [[User:Fmarier|Francois Marier]]
|
|-
|-
|-
|-
| [[Security/Contextual_Identity_Project/Containers|Containers]]
| [[Security/Contextual_Identity_Project/Containers|Containers]]
| Tanvi Vyas
| Tanvi Vyas
|
|-
|-
| [[Security/CSP|Content Security Policy]]
| [[Security/CSP|Content Security Policy]]
| Christoph Kerschbaumer
| Christoph Kerschbaumer
|
|-
|-
| Meta Referrer
| Meta Referrer
Line 55: Line 62:
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| [[Security/Features/Mixed_Content_Blocker|Mixed Content Blocking]]
| Tanvi Vyas
| Tanvi Vyas
|
|-
|-
| [[CloudServices/Password_Manager|Password Manager]]
| [[CloudServices/Password_Manager|Password Manager]]
| Tanvi Vyas
| Tanvi Vyas
|
|-
|-
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| [[Security/Features/Revamp_Security_Hooks|Revamp of Security Hooks]]
| Christoph Kerschbaumer
| Christoph Kerschbaumer
|
|-
|-
| [[Security/Safe Browsing|Safe Browsing]]
| [[Security/Safe Browsing|Safe Browsing]]
| [[User:Fmarier|Francois Marier]]
| [[User:Fmarier|Francois Marier]]
|
|-
|-
| [[Security/Subresource_Integrity|Sub-resource Integrity]]
| [[Security/Subresource_Integrity|Sub-resource Integrity]]
| [[User:Fmarier|Francois Marier]]
| [[User:Fmarier|Francois Marier]]
|
|-
|-
| [[Security/Tor_Uplift/Tracking|Tor bugs]]
| [[Security/Tor_Uplift/Tracking|Tor bugs]]
| Tom Ritter
| Ethan Tseng / Tom Ritter
|
|-
|-
| [[Security/Tracking_protection|Tracking Protection]]
| [[Security/Tracking_protection|Tracking Protection]]
| [[User:Fmarier|Francois Marier]]
| [[User:Fmarier|Francois Marier]]
|
|}
|}


Revision as of 17:17, 20 January 2017

We build security and user sovereignty into Firefox. Through this work, we encourage and promote these values on the open web.

We focus hard on ways to improve the privacy and security of all web users, in a Mozilla way that engages the community in our design and implementation decisions. These priorities are reflected in the projects this team manages, public evangelism and participation in relevant standards bodies to maximize adoption of new privacy & security mechanisms.

The open web is powerful; the huge number of people working on web standards and software is astonishing, and the rapid advancement of new businesses and technologies online magnifies the need for advances in mechanisms that enable secure systems and users' control over their presence online.

Who is involved

Security Engineering is led by Richard Barnes and Selena Deckelmann. Work is divided between two main teams:

  • Content Security Team (Lead: Paul Theriault): website & browser security features, DOM security (CSP, SRI, Cookies, origin etc), Content Blocking (safe browsing, download protection)
  • Communications security (Lead:JC Jones): TLS stack, communications security, Crypto APIs, PSM
  • Fuzzing (Lead:Al Billings)

To connect with us directly, you can our contact details on Mozillians.

How We Work

The Security Engineering team works publicly like other Mozilla engineering teams. Continuously, we are focused on four top-level activities:

  • Implement and Deploy
  • Consult on Architecture and Design
  • Research new Ideas
  • Evangelize what we do

For more details, check out our strategy.

What we work on

The core security guarantee of the web is that it’s safe to browse. You can run a web browser and connect to any web server on the planet, and whatever that server sends you, it won’t be able to harm you.

Delivering on this promise requires many layers of assurance:

  • That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited.
  • That the browser is protecting web content as it’s delivered over the network.
  • That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
  • That we’re providing a user experience that helps people understand the risks and how they can stay safe.

For details of our projects in these four areas, see the security roadmap.

Current Efforts

Content Security

Topic Engineering Contact QA Contact
Application Reputation Francois Marier
Containers Tanvi Vyas
Content Security Policy Christoph Kerschbaumer
Meta Referrer
Mixed Content Blocking Tanvi Vyas
Password Manager Tanvi Vyas
Revamp of Security Hooks Christoph Kerschbaumer
Safe Browsing Francois Marier
Sub-resource Integrity Francois Marier
Tor bugs Ethan Tseng / Tom Ritter
Tracking Protection Francois Marier


Communications Security

Add-on signing Daniel Veditz
CA Program Kathleen Wilson
Error Reporting Mark Goodwin
OneCRL Mark Goodwin

How to participate

Discuss: We hang out on #security and #contentsecurity on irc.mozilla.org, and our primary mailing list is mozilla.dev.security.

Follow our work: To see our current progress against features please see the Mozilla Security Blog.

Do some reviews:

Contribute: Wanna pitch in, maybe do a project? Check out the good first bugs list and if one interests you, contact us!

Experimental Things

We have a few feature proposals for things we might want to add to Firefox but that aren't currently scheduled:

From time to time we make add-ons to try out experimental features. Here are a few; let us know what you think!

Security Bugs

If you've found a security bug please see http://www.mozilla.org/security/#For_Developers

Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering&oldid=1160202"