< Product Roadmaps

	Product Security Feature Roadmap
	Owner: Lucas Adamski	Updated: 2011-12-13
	Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web. As such our security roadmap should reflect the real security improvements we need to make to our products to reflect the evolving security landscape, but also the ambitious impact we'd like to have on all web users.

	THIS PAGE IS A WORKING DRAFT
	The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly. If you have any questions or ideas, please add them as a new topic on the discussion page.

Vision:

Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web.

Themes and Goals:

Web users are under constant attack from a wide variety of opponents, many of whom are merely opportunistic, but also by a minority of very clever and determined attackers.  To protect users, we need to improve our current products to keep pace with these evolving threats, but we are ultimately limited in what we can do unilaterally within our products.  We must also drive innovative solutions that require the participation of other vital players in the web ecosystem, including standards bodies, internet technology vendors, web developers, web admins and web frameworks.

As such, security at Mozilla has two complementary but distinct focuses.

• Protect our users directly from an ever-increasing volume & sophistication of online attacks, by improving the products and services we deliver from a feature and architecture standpoint.
• Drive innovative security solutions to enable the wider web ecosystem of web developers, web admins and users to adapt to evolving web technologies and their corresponding security threats.

Here the concrete goals are segmented into themes. Some goals may potentially fit into multiple themes, but are only identified here under the most relevant one.

Survey taken in early 2011 to identify and prioritize potential features for our security roadmap. The results of this survey are available as a Google doc or as PDF: File:Security roadmap survey.pdf.

NOTE: these goals are tentative and more may be added or some may be dropped.

Protect our Users

Items with Feature Pages

{{#ask: Feature stage::!LandedFeature roadmap::Security OR Feature secondary roadmap::Security | ?# | ?Feature name# | ?Feature priority# | ?Feature engineering team# | ?Feature stage# | ?Feature status# | ?Feature product manager# | mainlabel=- | sort=Feature priority,Feature stage | format=template | limit=500 | template=FeatureListTable }}

Pr

Feature

Team

Stage

Status

Product manager

Items without Feature Pages

Priority	Item	Status	ETA	Owner
P2	Plugin background updating	not started	?	Kev Needham
P2	Plugin sandboxing	not started	?	?
P2	Effective certificate revocation and management	not started	?	?
P2	Plugin runtime mitigations such as whitelist and/or click to	not started	?	Justin Dolske
P2	javascript: and data: handling in URL bar and chrome
P3	DLL whitelisting by name or signature	not started	?	?
P3	Stub installer for SSL Firefox downloads
P3	Track "Application Reputation"
P3	Prune dead and dying code
P3	Malloc should be infallible
P3	TLS 1.2 support
P3	Eviltraps meta-bug (prevents users from leaving a page)
P4	Notify user of malware in their crash signatures
P4	Expose HSTS and other security browser state to plugins (NPAPI)
	Ignore autocomplete="off" for password fields

Drive Security Innovation

Priority	Item	Status	Eta	Owner
P1	DNSSEC-based certificate authentication	In progress	?	David Keeler
P1	UX security experiment	not started	?	?
P2	Content Security Policy revisions	In progress	?	Brandon Sterne
P2	CSRF mitigations
P3	Clickjacking mitigations
P3	X-Content-Type-Options
P3	toStaticHTML

Roadmap

Links to implementation plan and progress:

• Firefox/Flight Tracking
• Firefox/Features