SecurityEngineering/2014/Q3Goals: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 10: | Line 10: | ||
* {{ok|Gecko Security Hooks: Finish code and debugging for New Channel API, start getting reviews.}} See {{bug|1038756}}, {{bug|1006881}} (dri=tanvi) | * {{ok|Gecko Security Hooks: Finish code and debugging for New Channel API, start getting reviews.}} See {{bug|1038756}}, {{bug|1006881}} (dri=tanvi) | ||
* {{hold|Gecko Security Hooks: Create plan for addon compatibility}} (dri=tanvi) | * {{hold|Gecko Security Hooks: Create plan for addon compatibility - nothing to do yet}} (dri=tanvi) | ||
* {{done|CSP: Remove old JS implementation from mozilla-central. Target Fx34.}} See {{bug|994782}} (dri=sstamm) | * {{done|CSP: Remove old JS implementation from mozilla-central. Target Fx34.}} See {{bug|994782}} (dri=sstamm) | ||
* {{ | * {{ok|Evangelism: Security Open Mic presentation + blog post about new CSP implementation, maybe again as brown bag.}} (dri=sstamm) | ||
* {{ok|''[stretch goal]'' CSP: Fix majority of CSP 1.1 compatibility bugs.}} See [https://etherpad.mozilla.org/CSP-1-1 planning etherpad] (dri=ckerschb) | * {{ok|''[stretch goal]'' CSP: Fix majority of CSP 1.1 compatibility bugs.}} See [https://etherpad.mozilla.org/CSP-1-1 planning etherpad] (dri=ckerschb) | ||
Revision as of 21:46, 8 September 2014
This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).
(Also linked from Platform/2014-Q3-Goals#Security_.26_Privacy_Engineering).
Content Security
- Outcome
- Progress towards more robust security hooks for better correctness in content security features like CSP, adblock, etc.
- Who
- Tanvi, Christoph, Garrett, Sid
- [ON TRACK] Gecko Security Hooks: Finish code and debugging for New Channel API, start getting reviews. See bug 1038756, bug 1006881 (dri=tanvi)
- [HOLD] Gecko Security Hooks: Create plan for addon compatibility - nothing to do yet (dri=tanvi)
- [DONE] CSP: Remove old JS implementation from mozilla-central. Target Fx34. See bug 994782 (dri=sstamm)
- [ON TRACK] Evangelism: Security Open Mic presentation + blog post about new CSP implementation, maybe again as brown bag. (dri=sstamm)
- [ON TRACK] [stretch goal] CSP: Fix majority of CSP 1.1 compatibility bugs. See planning etherpad (dri=ckerschb)
Tracking Protection
- Outcome
- Better user control (and site control) over metadata on the wire and collected by third parties.
- Who
- Monica, Garrett, Sid, Georgios
- [ON TRACK] Referer: Finish implementation of <meta> referrer control with volunteer help. See bug 704320. (dri=sstamm)
- [DONE] Land backend and bridge code for first implementation of protection in Fx 33/34 off by default. BONUS: landed frontend code too (dri=mmc)
Communications Security
- Outcome
- Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
- Who
- Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica
- [ON TRACK] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=grobinson)
- [ON TRACK] HPKP - implement pinning http header (dri=cviecco)
- [DONE] Update roadmap for Cert Revocation improvements (dri=rbarnes)
- [DONE] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
- [ON TRACK] Add measurement/enforcement of compliance with CABF Baseline Requirements (dri=keeler)
- [ON TRACK] Create a tool for testing CA certificate compliance and EV-readiness (dri=keeler)
- [ON TRACK] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
- [AT RISK] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=harsh, keeler)
- [DONE] [stretch goal] Retire first batch of 1024-bit roots, working towards requiring 2048-bit keys for built-in root certificates (dri=kathleen)
- [ON TRACK] [stretch goal] Get CA Program data into one database (dri=kathleen)