SecurityEngineering/2015/Q1Goals: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| Line 19: | Line 19: | ||
* {{new|Review Referrer Policy.}} (dri=mmc/sid) | * {{new|Review Referrer Policy.}} (dri=mmc/sid) | ||
* {{new|Start experimenting with Containers for Contextual Identity.}} (dri=mmc) | * {{new|Start experimenting with Containers for Contextual Identity.}} (dri=mmc) | ||
* {{ | * {{ok|Tor bugs.}} (dri=sid) | ||
* {{ | * {{done|Blog post for meta referrer.}} (dri=Sid) | ||
== Addon Security == | == Addon Security == | ||
Revision as of 22:32, 26 January 2015
DRAFT DRAFT DRAFT DRAFT DRAFT
Content Security
- [NEW] Warn users about insecure password fields in Dev Edition/Aurora. (dri=tanvi)
- Figure out if we can display an in-your-face warning for passwords on HTTP pages in Aurora
- Figure out if we can turn this preference on for Polaris (if not today, then someday in the future)
- Get UX help to design the warning
- Start implementing
- [NEW] REVAMP: Finalize LoadInfo patches for JS/C++ gecko channels . (dri=ckerschb)
- [NEW] REVAMP: Start implementing the LoadInfo shim for addons. (dri=ckerschb)
- [NEW] CSP: Prototype CSP devtool that provides suggested policy for page. (dri=ckerschb)
- [NEW] Land SRI with style support. (dri=francois)
- [NEW] Propose an approach for adding reporting to SRI. (dri=francois)
Tracking Protection
- [NEW] Get TP UI enabled in Nightly/Aurora to check webcompat, shake out bugs etc. (dri=mmc)
- [NEW] Review Referrer Policy. (dri=mmc/sid)
- [NEW] Start experimenting with Containers for Contextual Identity. (dri=mmc)
- [ON TRACK] Tor bugs. (dri=sid)
- [DONE] Blog post for meta referrer. (dri=Sid)
Addon Security
- Mechanism for enforcing signed-by-AMO addons in 38. Whether enabled or not depends on readiness in other parts.
Communications Security
- [NEW] Name constraints on root CAs (dri=jones)
- [NEW] OneCRL based on (subject, public key) (dri=mgoodwin)
- [NEW] Automate pinging CAs for current audit statements (dri=wilson)
- [NEW] Finish removing / turning off 1024-bit roots (dri=wilson) -- Second Group in FF 36, Final group in FF 38.
- Telemetry for verification success by root: http://mzl.la/1Kjn18h
- Telemetry dashboard for verification success and pinning failures by root: https://people.mozilla.org/~dkeeler/ca-telemetry-dashboard/
- [NEW] Initial certificate/CA observatory (dri=keeler)
QE (tracking)
- [NEW] Monitor high risk telemetry security probes via the medusa alerting system in m-c (dri=kamil)
- [NEW] Use the Telemetry prototype to create graphs/monitor high risk security probes via Aurora and BETA. (dri=kamil)
- [NEW] Create a smoke-level Marionette test for SSL compatibility to be run on Mozmill-CI (dri=mwobensmith)
- [NEW] Create and stage a web-based SSL site compat tool (dri=mwobensmith)