Changes

''Last Updated: 3 Nov 2016'' = Crypto Engineering Projects = Our team's major projects are broken down by module:

The crypto NSS is the cryptography and transport security library that powers Firefox. In 2016Q4 and 2017Q1 we're working on three aspects of NSS.

NSS [http://www-archive.mozilla.org/projects/security/pki/nss/history.html dates back to Netscape Navigator], and much of the infrastructure for working inside the codebase dated back nearly that far, making an artificially-high barrier to entry for new community contributors. * 2016 Q4: [[NSS/Build_System|Change build systems to Gyp]]for dramatically faster builds, with an easier-to-maintain set of build scripts.* 2016 Q4: Move reviews to Phabricator. ** MozReview's lack of a security-restricted mode makes it unacceptable* 2016 Q4: Semi-Automatic Branch Uplifts to Mozilla-Central, so that changes can be tested in Nightly.* 2016 Q4: [[NSS/Demos|[MWOS] Add new NSS demonstration code]] to show how to use NSS in a modern way.

Many things in NSS are old without being a barrier to community contribution.  * 2016 Q4: Support ARM and ARM64 testing in TaskCluster.** While NSS is security-critical on all our platforms, historically we only found out about breakage in ARM platforms after the fact, so we're now treating ARM and ARM64 as first-class testing environments.* 2016 Q4: Support fuzzing the internal interfaces.** If you build security-critical code today, you plan to fuzz it from the start. NSS wasn't built that way, so it needs some adjustments to make it fuzzy on the inside.* 2016 Q4: Port the AES-NI speedup Linux-x86 assembly code to NASM and cross-compile assemble it for Windows and OSX.

We're thought leaders in producing a more secure Internet; our software needs to keep up with our ideas. * 2016 Q4: Support TLS v1.3.** This is a major revision to the transport security specification, and a large boon for protecting our users from adversaries and surveillance. * 2016 Q4: [[NSS/BoGo_Tests|Integrate BoGo's integration tests into NSS builds]].* 2016 Q4: [[* The automated tests for NSS/ARGON2|MWOS Support Argon2]]are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.* 2016 Q4: [[NSS/DemosARGON2|[MWOS Add new NSS demonstration code] Implement Argon2]]to provide a basis to modernize the Master Password in Firefox.* 2017 Q1: Post-Quantum Researchand Development.** Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.

PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure. * 2016 Q4: Rearchitect Re-architect PSM/NSS interaction to eliminate shutdown crashes.** The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change. * 2016 Q4 / 2017 Q1: Implement the [[Security/CryptoEngineering/SHA-1|SHA-1 Shutoff Plan]].** The WebPKI is halting use of SHA-1 for publicly-trusted certificates. PSM will be enforcing that halt starting in early 2017.

Password authentication is known to be a security liability on the Web. The [https://www.w3.org/TR/webauthn/ W3C Web Authentication Working Group is developing a specification] for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification. * 2016 Q2: FIDO U2F v1.1 JS API landed , hidden behind preferences.** You can test a pref. Test "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/* 2016 Q4: Support USB HID U2F devices on Linux.* 2016 Q4: Draft WebAuthn JS API landed available, hidden behind a pref, using the Soft Tokenfrom U2F.* 2017 Q1: Support USB HID U2F devices on Windows / Mac OS X.* 2017 Q1: Integrate USB HID U2F devices with the WebAuthn JS API.* 2017 Q1-2: Update to the final implementation WebAuthn JS API.