SecurityEngineering/Roadmap: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
<small>[[Roadmaps|&lt; Product Roadmaps]] </small>
<section begin="summary" />{{RoadmapSummary
|icon=larry.png
|pagelocation=Security/Roadmap
|pagetitle=Product Security Feature Roadmap
|owner=[[User:Ladamski|Lucas Adamski]]
|updated=June 3, 2011
|status=Draft
|description=Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web. As such our security roadmap should reflect the real security improvements we need to make to our products to reflect the evolving security landscape, but also the ambitious impact we'd like to have on all web users.}}<section end="summary" />
{{Draft}}
<br>
= Vision:  =
Security at Mozilla can be thought of a set of principles that are reflected in the products we ship, but also in the impact Mozilla has on the entire web.
= Themes and Goals:  =
Web users are under constant attack from a wide variety of opponents, many of whom are merely opportunistic, but also by a minority of very clever and determined attackers.&nbsp; To protect users, we need to improve our current products to keep pace with these evolving threats, but we are ultimately limited in what we can do unilaterally within our products.&nbsp; We must also drive innovative solutions that require the participation of other vital players in the web ecosystem, including standards bodies, internet technology vendors, web developers, web admins and web frameworks.
As such, security at Mozilla has two complementary but distinct focuses.
*Protect our users directly from an ever-increasing volume &amp; sophistication of online attacks, by improving the products and services we deliver from a feature and architecture standpoint.
*Drive innovative security solutions to enable the wider web ecosystem of web developers, web admins and users to adapt to evolving web technologies and their corresponding security threats.
Here the concrete goals are segmented into themes. Some goals may potentially fit into multiple themes, but are only identified here under the most relevant one.
Survey taken in early 2011 to identify and prioritize potential features for our security roadmap. The results of this survey are [https://spreadsheets.google.com/spreadsheet/pub?hl=en&hl=en&key=0AtpjIJJ66IkGdEQwOThzdHVFS0V4aUZUOWoxZXc3alE&output=html available as a Google doc] or as PDF: [[Image:Security roadmap survey.pdf]].
'''NOTE:''' these goals are tentative and more may be added or some may be dropped.
=== Protect our Users  ===
=== Protect our Users  ===


Line 139: Line 105:
| <br>
| <br>
|}
|}
=== Drive Security Innovation  ===
{|class=wikitable
|-
! Priority
! Item
! Status
! Eta
! Owner
|-
| P1
| DNSSEC-based certificate authentication
| <br>
| &nbsp;?
| &nbsp;?
|-
| P1<br>
| UX security experiment
| not started
| &nbsp;?
| &nbsp;?
|-
| P2
| Content Security Policy revisions<br>
| not started
| &nbsp;?
| &nbsp;?
|-
| P2<br>
| iframe sandbox
| <br>
| <br>
| <br>
|-
| P2<br>
| CSRF&nbsp;mitigations
| <br>
| <br>
| <br>
|-
| P3
| Clickjacking mitigations
|
|
|
|-
| P3
| X-Content-Type-Options
|
|
|
|-
| P3
| toStaticHTML
|
|
|
|}
<br>
= Roadmap  =
Links to implementation plan and progress:
*[[Firefox/Flight Tracking]]
*[[Firefox/Features]]
<br>
[[Category:Roadmaps]]

Revision as of 19:37, 27 June 2011

Protect our Users

Priority Item Status ETA Owner
P1
P2 Plugin background updating
 not started  ?   Kev Needham
P2 Plugin sandboxing
 not started  ?  ?
P2 Effective certificate revocation and management
 not started  ?  ?
P2 Plugin runtime mitigations such as whitelist and/or click to
not started  ?   Justin Dolske
P2 javascript: and data: handling in URL bar and chrome


P2
P3
 DLL whitelisting by name or signature
 not started
  ?
  ?
P3
 Stub installer for SSL Firefox downloads


P3
 Prune dead and dying code


P3
 Malloc should be infallible


P3
 TLS 1.2 support


P3
P3
 Eviltraps meta-bug (prevents users from leaving a page)


P4
 RFC 1918 local IP blocking


P4
 Notify user of malware in their crash signatures


P4
 Expose HSTS and other security browser state to plugins (NPAPI)


P4
 Prevent network requests to insecure sites (62178)


Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/Roadmap&oldid=323030"