SecurityEngineering/2014/Q4Goals

This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

Content Security

Outcome

More robust security hooks for better correctness in content security features like CSP, adblock, etc.

Who

Tanvi, Christoph, Sid, Francois, Steve

• [AT RISK] Add LoadInfo to Gecko-owned JS callers (dri=ckerschb,tanvi)
• [DONE] Use LoadInfo to implement MCB for HTTP redirects (dri=tanvi)
• [DONE] Implement Next Block of CSP Level 2.0 features (dri=sstamm,ckerschb)
  • Work to fix spec to have child-src directive we want
  • Implement form-action directive
  • Implement referrer directive (depends on bug 704320)
  • Fix frame-ancestors mapping
  • Work to fix spec about blob urls
• [ON TRACK] Initial Implementation of sub-resource integrity (bug 992096) (dri=francois)

Tracking Protection

Outcome

Better user control (and site control) over metadata on the wire and collected by third parties.

Who

Sid

• [DONE] Finish <meta> referrer (dri=sid)

Addon Security

Outcome

TBD

Who

Dan Veditz

Goals:

• [ON TRACK] Require signed add-ons (backend) See bug 1047239(dri=dveditz)

Communications Security

Outcome

Fresher/more accurate revocation information and progress towards defeating certificate misissuance and Man-In-The-Middle attacks.

Who

Richard, Kathleen, Keeler, Monica, JC, Mark

• [ON TRACK] Add more BR checking (some combination of giving errors during path building, wall of shame, console warnings -- tbd) (dri=dkeeler)
• [DONE] Identify what of Certificate Transparency we must/should deploy (dri=rbarnes)
• [DONE] Complete phase 1 of migration to CA database (dri=kwilson)
• [ON TRACK] [stretch] Import mozilla::pkix to a branch of NSS (dri=jcjones)
• [ON TRACK] [stretch] Add ability to name constrain more root CAs (dri=dkeeler)
• [DONE] [stretch] Add security warnings about SHA-1 to Web Console (dri=mgoodwin)
• [ON TRACK] OneCRL client implementation (dri=mgoodwin)

QE (tracking)

We also track security related QE goals. (section owner=mwobensmith)

Official list 

(link TBD)

• [AT RISK] Tool telemetry of SSL errors/over-rides to watch for outliers, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1058812#c42 (dri=matt)
  • https://lists.mozilla.org/listinfo/dev-telemetry-alerts
• [DONE] Setup SSL compatibility testing to be run at the beginning of Beta for each branch. (dri=matt)
• [DONE] Figure out how to take the cert caching into account when running SSL compatibility tests(dri=matt)