Changes

Jump to: navigation, search

Security/CryptoEngineering

1,166 bytes removed, 17:00, 5 May 2017
Q2 project updates
NSS is the cryptography and transport security library that powers Firefox.
In 2016Q4 and 2017Q1 we're working on three aspects of NSS. === Improve Developer Ergonomics ===NSS [http://www-archive.mozilla.org/projects/security/pki/nss/history.html dates back to Netscape Navigator], and much of the infrastructure for working inside the codebase dated back nearly that far, making an artificially-high barrier to entry for new community contributors. * 2016 Q4: [[NSS/Build_System|Change build systems to Gyp]] for dramatically faster builds, with an easier-to-maintain set of build scripts.* 2016 Q4: Move reviews to Phabricator. ** MozReview's lack of a security-restricted mode makes it unacceptable* 2016 Q4: Semi-Automatic Branch Uplifts to Mozilla-Central, so that changes can be tested in Nightly.* 2016 Q42017 Q2: [[NSS/Demos|[MWOS] Add new NSS demonstration code]] to show how to use NSS in a modern way.  === Cleanup ===Many things in NSS are old without being a barrier to community contribution.  * 2016 Q42017 Q2: Support ARM and ARM64 testing in TaskCluster.** While [[NSS is security-critical on all our platforms, historically we only found out about breakage in ARM platforms after the fact, so we're now treating ARM and ARM64 as first-class testing environments.* 2016 Q4: Support fuzzing the internal interfaces.** If you build security-critical code today, you plan /ARGON2|[MWOS] Implement Argon2]] to fuzz it from the start. NSS wasn't built that way, so it needs some adjustments provide a basis to make it fuzzy on modernize the insideMaster Password in Firefox.* 2016 Q42017 Q2: Port the AES-NI speedup Linux-x86 assembly code to NASM and cross-assemble it for Windows and Implement hardware crypto accelerations on OSX. === New Functions ===We're thought leaders in producing a more secure Internet; our software needs to keep up with our ideas. * 2016 Q4: Support TLS v1.3.** This is a major revision to the transport security specification, and a large boon for protecting our users from adversaries and surveillance. ARM* 2016 Q42017 Q3: [[NSS/BoGo_Tests|Integrate BoGo's integration tests into NSS builds]].
** The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
* 2016 2017 Q4: [[NSS/ARGON2|[MWOS] Implement Argon2]] to provide a basis to modernize the Master Password in Firefox.* 2017 Q1: Post-Quantum Research and Development.
** Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.
** The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
** Details here: [[Security/CryptoEngineering/Platform Use of NSS|Platform Use of NSS]]
* 2017 Q2: Speed up TLS handshakes* 2016 Q4 / 2017 Q1Q2: Implement the [[Security/CryptoEngineering/SHA-1|SHA-1 Shutoff Plan]].Continue work on our Certificate Transparency implementation and test infrastructure** The WebPKI is halting use of SHA2017 Q3: Move error-1 string formatting for publiclyour error pages into the front-trusted certificates. PSM will be enforcing that halt starting in early end JavaScript* 2017.Q3: Retool the "See more" sections of error pages using JavaScript to provide more help
== Web Authentication ==
* 2017 Q2: Support USB HID U2F devices on Linux.
* 2017 Q2: Integrate USB HID U2F devices with the WebAuthn JS API.
* 2017 Q2: Support USB HID U2F devices on Windows / Mac OS X.* 2017 Q2: Support USB HID U2F devices on Windows.* 2017 Q2-3: Update to Working Draft 5 of the final implementation WebAuthn JS API.
* 2017 (sometime): Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
* 2017 (sometime): Support WebAuthn for mobile Firefox.
* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
All of the above dates are for landing in Firefox Nightly.
'''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57, and Web Authentication (on by default) in Firefox 57 or 58. (See [[RapidRelease/Calendar]])
 
== DOM Security ==
* 2017 Q2: Enable [https://wicg.github.io/hsts-priming/ HSTS Priming] in Firefox Beta
* 2017 Q2: Update our Mixed Content Blocking implementation to the [https://www.w3.org/TR/mixed-content/ W3C Candidate Recommendation]
* 2017 Q3: Release paper on HSTS Priming approach
Jcjones
122
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1170487"

Navigation menu