This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).
(Also linked from Platform/2014-Q3-Goals#Security_.26_Privacy_Engineering).
- Progress towards more robust security hooks for better correctness in content security features like CSP, adblock, etc.
- Tanvi, Christoph, Garrett, Sid
- [DONE] Gecko Security Hooks: Finish code and debugging for NS_NewChannel API, start getting reviews. See bug 1038756, bug 1006881 (dri=tanvi)
- [DEFER] Gecko Security Hooks: Create plan for addon compatibility - nothing to do until JS impl is done (dri=tanvi)
- [DONE] CSP: Remove old JS implementation from mozilla-central. Target Fx34. See bug 994782 (dri=sstamm)
- [DONE] Evangelism: Security blog post about new CSP implementation, maybe again as brown bag. (dri=sstamm)
- [ON TRACK] [stretch goal] CSP: Fix majority of CSP 1.1 compatibility bugs. See planning etherpad (dri=ckerschb)
- Better user control (and site control) over metadata on the wire and collected by third parties.
- Monica, Garrett, Sid, Georgios
- [AT RISK] Referer: Finish implementation of <meta> referrer control with volunteer help. See bug 704320, very close. (dri=sstamm)
- [DONE] Land backend and bridge code for first implementation of protection in Fx 33/34 off by default. BONUS: landed frontend code too (dri=mmc)
- Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.
- Richard, Kathleen, Keeler, Camilo, Harsh, Garrett, Monica
- [DONE] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=mgoodwin)
- [DONE] HPKP - implement pinning http header (dri=cviecco)
- [DONE] Update roadmap for Cert Revocation improvements (dri=rbarnes)
- [DONE] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
- [DONE] Add measurement/enforcement of compliance with CABF Baseline Requirements. See bug 1050546 (dri=keeler)
- [DONE] Create a tool for testing CA certificate compliance and EV-readiness. See bug 926599 and bug 1029095 (dri=keeler)
- [DONE] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
- [DEFER] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=mgoodwin, keeler)
- [DONE] [stretch goal] Retire first batch of 1024-bit roots, working towards requiring 2048-bit keys for built-in root certificates (dri=kathleen)
- [DEFER] [stretch goal] Get CA Program data into one database (dri=kathleen)