122
edits
Changes
Q2 project updates
NSS is the cryptography and transport security library that powers Firefox.
** The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
* 2016 2017 Q4: [[NSS/ARGON2|[MWOS] Implement Argon2]] to provide a basis to modernize the Master Password in Firefox.* 2017 Q1: Post-Quantum Research and Development.
** Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.
** The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
** Details here: [[Security/CryptoEngineering/Platform Use of NSS|Platform Use of NSS]]
* 2017 Q2: Speed up TLS handshakes* 2016 Q4 / 2017 Q1Q2: Implement the [[Security/CryptoEngineering/SHA-1|SHA-1 Shutoff Plan]].Continue work on our Certificate Transparency implementation and test infrastructure** The WebPKI is halting use of SHA2017 Q3: Move error-1 string formatting for publiclyour error pages into the front-trusted certificates. PSM will be enforcing that halt starting in early end JavaScript* 2017.Q3: Retool the "See more" sections of error pages using JavaScript to provide more help
== Web Authentication ==
* 2017 Q2: Support USB HID U2F devices on Linux.
* 2017 Q2: Integrate USB HID U2F devices with the WebAuthn JS API.
* 2017 Q2: Support USB HID U2F devices on Windows / Mac OS X.* 2017 Q2: Support USB HID U2F devices on Windows.* 2017 Q2-3: Update to Working Draft 5 of the final implementation WebAuthn JS API.
* 2017 (sometime): Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
* 2017 (sometime): Support WebAuthn for mobile Firefox.
* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
All of the above dates are for landing in Firefox Nightly.
'''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57, and Web Authentication (on by default) in Firefox 57 or 58. (See [[RapidRelease/Calendar]])
== DOM Security ==
* 2017 Q2: Enable [https://wicg.github.io/hsts-priming/ HSTS Priming] in Firefox Beta
* 2017 Q2: Update our Mixed Content Blocking implementation to the [https://www.w3.org/TR/mixed-content/ W3C Candidate Recommendation]
* 2017 Q3: Release paper on HSTS Priming approach