SecurityEngineering/2014/Q4Goals

From MozillaWiki
Jump to navigation Jump to search


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

Content Security

Outcome
More robust security hooks for better correctness in content security features like CSP, adblock, etc.
Who
Tanvi, Christoph, Garrett, Sid, Francois
  • [NEW] Add LoadInfo to Gecko-owned JS callers (dri=ckerschb,tanvi)
  • [NEW] Use LoadInfo to implement MCB for HTTP redirects (dri=tanvi)
  • [NEW] Implement Next Block of CSP Level 2.0 features (dri=sstamm,ckerschb)
    • (Will be more tightly scoped once Chris & Sid have time to nail down the subfeature list)
  • [NEW] Initial Implementation of sub-resource integrity (bug 992096) (dri=francois)


Tracking Protection

Outcome
Better user control (and site control) over metadata on the wire and collected by third parties.
Who
Sid
  • [CARRY OVER] Finish <meta> referrer (dri=sid)

Addon Security

Desired Outcome: TBD

Goals:

  • TBD (dri=dveditz)

Communications Security

Outcome
Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
Who
Richard, Kathleen, Keeler, Monica, JC, Mark
  • [NEW] Add more BR checking (some combination of giving errors during path building, wall of shame, console warnings -- tbd) (dri=dkeeler)
  • [NEW] Identify what of Certificate Transparency we must/should deploy (dri=rbarnes)
  • [NEW] Complete phase 1 of migration to CA database (dri=kwilson)
  • [NEW] [stretch] Import mozilla::pkix to a branch of NSS (dri=jcjones)
  • [NEW] [stretch] Add ability to name constrain more root CAs (dri=dkeeler)
  • [NEW] [stretch] Add security warnings about SHA-1 to Web Console (dri=mgoodwin)

QE (tracking)

We also track security related QE goals. (section owner=mwobensmith)

Official list
(link TBD)
Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/2014/Q4Goals&oldid=1024560"