SecurityEngineering/Roadmap: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Redirected page to Security/Roadmap)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<small>[[Roadmaps|&lt; Product Roadmaps]] </small>
#REDIRECT [[Security/Roadmap]]
 
<section begin="summary" />{{RoadmapSummary
|icon=larry.png
|pagelocation=Security/Roadmap
|pagetitle=Product Security Feature Roadmap
|owner=Sid Stamm
|updated=Weekly
|status=Draft
|description=Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web. As such our security roadmap should reflect the real security improvements we need to make to our products to reflect the evolving security landscape, but also the ambitious impact we'd like to have on all web users.}}<section end="summary" />
 
{{Draft}}
 
<br>
 
= Vision =
 
Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web.
 
= Themes and Goals =
 
Web users are under constant attack from a wide variety of opponents, many of whom are merely opportunistic, but also by a minority of very clever and determined attackers.&nbsp; To protect users, we need to improve our current products to keep pace with these evolving threats, but we are ultimately limited in what we can do unilaterally within our products.&nbsp; We must also drive innovative solutions that require the participation of other vital players in the web ecosystem, including standards bodies, internet technology vendors, web developers, web admins and web frameworks.
 
As such, security engineering at Mozilla has two primary themes:
 
*Inward Security: Protect our users directly from an ever-increasing volume &amp; sophistication of online attacks, by directly improving the products and services we deliver
*Outward Security: Drive innovative security solutions to enable the wider web ecosystem of web developers, web admins and users to adapt to evolving web technologies and their corresponding security threats.
 
In this roadmap we identify outcomes that fall into one of these two themes.  The concrete projects and work units work towards one or more outcomes (but are classified into outcome for simplicity).  As we make progress on the tasks under an outcome, we get closer to realizing it.
 
Survey taken in early 2011 to identify and prioritize potential features for our security roadmap. The results of this survey are [https://spreadsheets.google.com/spreadsheet/pub?hl=en&hl=en&key=0AtpjIJJ66IkGdEQwOThzdHVFS0V4aUZUOWoxZXc3alE&output=html available as a Google doc] or as PDF: [[Image:Security roadmap survey.pdf]].
 
'''NOTE:''' these goals and prioritizations are tentative and more may be added or some may be changed, reprioritized or dropped.
 
= Outcomes: =
There are some major outcomes that can be realized by completion of multiple features.  These features already show up on the master list above, but this categorizes them into desired outcomes.
 
=== Firefox, the Safest Platform ===
Firefox needs to be the safest browser and OS for our users.  To get there, we have to harden the platform and contain exploits.  This outcome can be realized when people regularly choose Firefox when they care about safety (but not have to trade performance or compatibility for it).
 
<table class="querytable sortable">
<tr>
<td class="header" style="width: 5%;">Pr</td>
<td class="header" style="width: 35%;">Feature</td>
<td class="header" style="width: 10%;">Stage</td>
<td class="header" style="width: 10%;">Release target</td>
<td class="header" style="width: 20%;">Product manager</td>
<td class="header" style="width: 20%;">Feature manager</td>
</tr>
{{#ask: [[Category:Feature Page]]
[[Feature theme::Product Hardening]]
| ?#
| ?Feature name#
| ?Feature priority#
| ?Feature stage#
| ?Feature version#
| ?Feature product manager#
| ?Feature feature manager#
| mainlabel=-
| sort=Feature priority, Feature stage
| format=template
| limit=500
| template=FeatureListTable
}}
</table>
 
=== Web, the Safest Platform ===
The web needs to be the safest place for developers to deploy their software.  We must lead on security in Firefox, but also the web platform, by building tools and safe defaults for developers.  This outcome can be realized when developers regularly choose the Web to create innovative and safe applications.
 
<table class="querytable sortable">
<tr>
<td class="header" style="width: 5%;">Pr</td>
<td class="header" style="width: 35%;">Feature</td>
<td class="header" style="width: 10%;">Stage</td>
<td class="header" style="width: 10%;">Release target</td>
<td class="header" style="width: 20%;">Product manager</td>
<td class="header" style="width: 20%;">Feature manager</td>
</tr>
{{#ask: [[Category:Feature Page]]
[[Feature theme::Security Leadership]] OR
[[Feature theme::Web Hardening]]
| ?#
| ?Feature name#
| ?Feature priority#
| ?Feature stage#
| ?Feature version#
| ?Feature product manager#
| ?Feature feature manager#
| mainlabel=-
| sort=Feature priority, Feature stage
| format=template
| limit=500
| template=FeatureListTable
}}
</table>
=== HTTPS can be used as default ===
Right now, when users navigate to a web site without specifying the protocol or scheme, Firefox assumes "http" as the scheme.  For optimal protection from eavesdropping and for encryption of cookies and other HTTP request data in transit, we should be able to attempt HTTPS and fall back to HTTP only when absolutely necessary.
 
This outcome can be realized when Firefox can be changed to default to the HTTPS scheme instead of HTTP.
 
<table class="querytable sortable">
<tr>
<td class="header" style="width: 5%;">Pr</td>
<td class="header" style="width: 35%;">Feature</td>
<td class="header" style="width: 10%;">Stage</td>
<td class="header" style="width: 10%;">Release target</td>
<td class="header" style="width: 20%;">Product manager</td>
<td class="header" style="width: 20%;">Feature manager</td>
</tr>
{{#ask: [[Category:Feature Page]]
[[Feature theme::TLS Hardening]]
| ?#
| ?Feature name#
| ?Feature priority#
| ?Feature stage#
| ?Feature version#
| ?Feature product manager#
| ?Feature feature manager#
| mainlabel=-
| sort=Feature priority, Feature stage
| format=template
| limit=500
| template=FeatureListTable
}}
</table>
 
=Ideas Not Yet Awesome Enough=
Apparently these ideas are not yet great enough to merit feature pages.  If you disagree, you can [[Features/Create new | create a new feature page]] for it!  Just make sure to put "Security" in the primary or secondary roadmap field.
 
{|class=wikitable
|-
! Item
! Owner
|-
| First-run warning for new plugins<br>
| <br>
|-
| [https://wiki.mozilla.org/NPAPI:Pepper2 Plugin sandboxing]<br>
| <br>
|-
| Malloc should be infallible<br>
| <br>
|-
| TLS&nbsp;1.2 support<br>
| <br>
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=432687 Eviltraps meta-bug] (prevents users from leaving a page)<br>
| <br>
|-
| Notify user of malware in their crash signatures<br>
| <br>
|-
| Expose HSTS&nbsp;and other security browser state to plugins (NPAPI)<br>
| <br>
|-
| Ignore autocomplete="off" for password fields
| <br>
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=663566 Content Security Policy revisions]
| Brandon Sterne
|-
| Clickjacking mitigations
|
|-
| X-Content-Type-Options
|
|-
| toStaticHTML
|
|-
| Block DLLs without ASLR
|
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=677797 Force ASLR or similar mitigations (EMET)]
|
|}
 
<br>
 
=Completed Features=
<table class="querytable sortable">
<tr>
<td class="header" style="width: 5%;">Pr</td>
<td class="header" style="width: 25%;">Feature</td>
<td class="header" style="width: 10%;">Team</td>
<td class="header" style="width: 10%;">Release</td>
<td class="header" style="width: 15%;">Product Manager</td>
<td class="header" style="width: 20%;">Theme</td>
</tr>
{{#ask: [[Category:Feature Page]] [[Feature status::Complete]] [[Feature roadmap::Security]] OR [[Feature secondary roadmap::Security]] [[Feature status::Complete]]
| ?#
| ?Feature name#
| ?Feature priority#
| ?Feature engineering team#
| ?Feature version#
| ?Feature product manager#
| ?Feature theme#
| mainlabel=-
| sort=Feature priority,Feature stage
| format=template
| limit=500
| template=FeatureListTable
}}
</table>
 
= All Features =
<table class="wikitable collapsible collapsed">
<tr><th>Items with feature pages &nbsp; </th></tr>
<tr><td>
<table class="querytable sortable">
<tr>
<td class="header" style="width: 5%;">Pr</td>
<td class="header" style="width: 30%;">Feature</td>
<td class="header" style="width: 15%;">Team</td>
<td class="header" style="width: 15%;">Stage</td>
<td class="header" style="width: 20%;">Directly Responsible Individual</td>
<td class="header" style="width: 15%;">Theme</td>
</tr>
{{#ask: [[Category:Feature Page]] [[Feature stage::!Complete]] [[Feature roadmap::Security]] OR [[Feature secondary roadmap::Security]]
| ?#
| ?Feature name#
| ?Feature priority#
| ?Feature engineering team#
| ?Feature stage#
| ?Feature feature manager#
| ?Feature theme#
| mainlabel=-
| sort=Feature priority,Feature stage
| format=template
| limit=500
| template=FeatureListTable
}}
</table>
</td></tr>
</table>
 
=Related Info=
 
Links to implementation plan and progress:
 
*[[Firefox/Flight Tracking]]
*[[Firefox/Features]]
 
Inputs into the security roadmap:
 
* [https://bugzilla.mozilla.org/buglist.cgi?quicksearch=kw:sec-want sec-want bugs] that are both important and complex
 
[[Category:Roadmaps]]

Latest revision as of 03:10, 29 July 2016

Redirect to:

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/Roadmap&oldid=1141792"