SecurityEngineering/2014/Q1Goals

From MozillaWiki
Jump to: navigation, search


This is a heavy-Implement quarter (as opposed to the other strategic actions in our SecurityEngineering/Strategy).

(Also linked from Platform/2014-Q1-Goals#Security_.26_Privacy)

Cert Revocation

  • Outcome: measure feasibility of pinning mozilla properties
  • Who: briansmith, cviecco, keeler
    • [DONE] (cviecco) Implement: root name constraints bug 743700
    • [DONE] (briansmith) Implement: Land insanity - bug 878932
    • [DROPPED] (cviecco) Implement: Land key pinning + pin telemetry - dropped in favor of finishing the insanity goal
    • BONUS: [MISSED] (keeler) Implement: land cert error reporting. Combination of "report this to Mozilla" (miss) + collection infrastructure (done)

Sandboxing

  • Outcome: tighter sandbox, removes more access from child process
  • Who: kang, bbondy, ckerschb, keeler, sid
    • [DONE] (kang) Implement: nail down path to remoting file access, file bugs and begin work (so we can remove OPEN syscall from sandbox on b2g) see bug 930258 for initial list, more will likely come up but looking for callsites via strace
    • [DONE] (bbondy) Implement: and equivalent file access/pipe control for windows. -- bug 969559, dependencies gathered via strace.

Tracking Protection

  • Outcome: Users can import a list of content to block.
  • Who: mmc, grobinson, sid
    • [DROPPED] (mmc) Extend nsIContentPolicy to block network loads from tracking domains based on a remote list. Dropped in favor of work in lightbeam; we will integrate changes needed for lightbeam after this quarter.
    • [MISSED] (mmc) Fix lightbeam [done], add blocking heuristics [miss] - blocking heurstics developed in coordination with EFF as initial experiment (not in gecko or lightbeam)

Security Feature Compatibility and Performance

  • Outcome: improve app loading time on B2G and page load times on desktop
  • Who: ckerschb, grobinson, sid
    • [MISSED] (ckerschb) CSP rewrite in C++ (perf for B2G and all platforms)
      • ETA: end of week (4/4). Ready for review by the end of the week.
    • [DONE] (grobinson) create deprecation plan for old parser