Talk:SecurityEngineering/2014/Q3Goals
From MozillaWiki
This is the raw content fro the etherpad brainstorming.
Working draft (includes crossed-off ideas):
Core/DOM
- revamp gecko security hooks continued - next steps? What are they?
- Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up
- Get New Channel API landed (we should be able to do that, perhaps without moving content policy check)
- Figure out the addon compatibility story
-
Bonus - start architecting and implementing new observer service
- Finish code and debugging for New Channel API, start getting reviews and fixing the issues brought up
- csp
- get rid of old implementation entirely
- CSP 1.1 compliance (finish things needed to line up with draft)
-
Subresource Integrity (SRI)? implement or plan out implementation? evaluate?-
once upon a time, this was implemented - Link fingerprints: bug 377245 (and dependencies)
-
- Referrer control
- <meta> referrer control
- CSP referrer directive
-
<a rel=noreferrer -
Make progress on referrer= attribute for other DOM elements
Communications Security
- [CARRY OVER] SSL Error Reporting finish first implementation of ssl error reporting feature. (dri=grobinson)
- [NEW] HPKP - implement pinning http header (dri=cviecco)
- [NEW] Update roadmap for Cert Revocation improvements (dri=rbarnes)
- [NEW] Create a mechanism to provision phones with an alternate cert (dri=mgoodwin)
- [NEW] Add measurement/enforcement of compliance with CABF Baseline Requirements (dri=keeler)
- [NEW] Create a tool for testing CA certificate compliance and EV-readiness (dri=keeler)
- [NEW] Add support for key wrap/unwrap and ECC in WebCrypto (dri=rbarnes)
- [NEW] [stretch goal] Enable revocation of intermediate CAs through block list service (dri=harsh, keeler)
- [NEW] [stretch goal] Require 2048-bit keys for built-in root certificates (dri=kathleen)
- [NEW] [stretch goal] Get CA Program data into one database (dri=kathleen)
Tracking Control
- tracking protection in FF (https://bugzilla.mozilla.org/show_bug.cgi?id=1029886) Land a feature in FF33 and FF34 that's off by default to prevent users from connecting to domains that are in a list that we serve
-
PR push for 33 around tracking protection
-
Evangelism
- security outreach - Security Open Mic presentation + blog post about new CSP, maybe again as brown bag.
-
talk at (web dev) conference? Be more visible? -
Knock down TOR browser bundle bugs-
Tor dev conf at Mozilla Paris
-
