Security/CryptoEngineering: Difference between revisions

Security/CryptoEngineering (view source)

Revision as of 17:00, 5 May 2017

1,166 bytes removed , 5 May 2017

Q2 project updates

Jcjones

122

edits

@@ Line 8: / Line 8: @@
 NSS is the cryptography and transport security library that powers Firefox.
-In 2016Q4 and 2017Q1 we're working on three aspects of NSS.
+* 2017 Q2: [[NSS/Demos|[MWOS] Add new NSS demonstration code]] to show how to use NSS in a modern way.
+* 2017 Q2: [[NSS/ARGON2|[MWOS] Implement Argon2]] to provide a basis to modernize the Master Password in Firefox.
-=== Improve Developer Ergonomics ===
+* 2017 Q2: Implement hardware crypto accelerations on OSX and ARM
-NSS [http://www-archive.mozilla.org/projects/security/pki/nss/history.html dates back to Netscape Navigator], and much of the infrastructure for working inside the codebase dated back nearly that far, making an artificially-high barrier to entry for new community contributors.
+* 2017 Q3: [[NSS/BoGo_Tests|Integrate BoGo's integration tests into NSS builds]].
-* 2016 Q4: [[NSS/Build_System|Change build systems to Gyp]] for dramatically faster builds, with an easier-to-maintain set of build scripts.
-* 2016 Q4: Move reviews to Phabricator.
-** MozReview's lack of a security-restricted mode makes it unacceptable
-* 2016 Q4: Semi-Automatic Branch Uplifts to Mozilla-Central, so that changes can be tested in Nightly.
-* 2016 Q4: [[NSS/Demos|[MWOS] Add new NSS demonstration code]] to show how to use NSS in a modern way.
-=== Cleanup ===
-Many things in NSS are old without being a barrier to community contribution.
-* 2016 Q4: Support ARM and ARM64 testing in TaskCluster.
-** While NSS is security-critical on all our platforms, historically we only found out about breakage in ARM platforms after the fact, so we're now treating ARM and ARM64 as first-class testing environments.
-* 2016 Q4: Support fuzzing the internal interfaces.
-**  If you build security-critical code today, you plan to fuzz it from the start. NSS wasn't built that way, so it needs some adjustments to make it fuzzy on the inside.
-* 2016 Q4: Port the AES-NI speedup Linux-x86 assembly code to NASM and cross-assemble it for Windows and OSX.
-=== New Functions ===
-We're thought leaders in producing a more secure Internet; our software needs to keep up with our ideas.
-* 2016 Q4: Support TLS v1.3.
-** This is a major revision to the transport security specification, and a large boon for protecting our users from adversaries and surveillance.
-* 2016 Q4: [[NSS/BoGo_Tests|Integrate BoGo's integration tests into NSS builds]].
 ** The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
-* 2016 Q4: [[NSS/ARGON2|[MWOS] Implement Argon2]] to provide a basis to modernize the Master Password in Firefox.
+* 2017 Q4: Post-Quantum Research and Development.
-* 2017 Q1: Post-Quantum Research and Development.
 ** Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.
@@ Line 45: / Line 22: @@
 ** The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
 ** Details here: [[Security/CryptoEngineering/Platform Use of NSS|Platform Use of NSS]]
+* 2017 Q2: Speed up TLS handshakes
-* 2016 Q4 / 2017 Q1: Implement the [[Security/CryptoEngineering/SHA-1|SHA-1 Shutoff Plan]].
+* 2017 Q2: Continue work on our Certificate Transparency implementation and test infrastructure
-** The WebPKI is halting use of SHA-1 for publicly-trusted certificates. PSM will be enforcing that halt starting in early 2017.
+* 2017 Q3: Move error-string formatting for our error pages into the front-end JavaScript
+* 2017 Q3: Retool the "See more" sections of error pages using JavaScript to provide more help
 == Web Authentication ==
@@ Line 59: / Line 37: @@
 * 2017 Q2: Support USB HID U2F devices on Linux.
 * 2017 Q2: Integrate USB HID U2F devices with the WebAuthn JS API.
-* 2017 Q2: Support USB HID U2F devices on Windows / Mac OS X.
+* 2017 Q2: Support USB HID U2F devices on Mac OS X.
-* 2017 Q2-3: Update to the final implementation WebAuthn JS API.
+* 2017 Q2: Support USB HID U2F devices on Windows.
+* 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
 * 2017 (sometime): Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
 * 2017 (sometime): Support WebAuthn for mobile Firefox.
+* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
 All of the above dates are for landing in Firefox Nightly.
 '''Goal''': permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57, and Web Authentication (on by default) in Firefox 57 or 58. (See [[RapidRelease/Calendar]])
+== DOM Security ==
+* 2017 Q2: Enable [https://wicg.github.io/hsts-priming/ HSTS Priming] in Firefox Beta
+* 2017 Q2: Update our Mixed Content Blocking implementation to the [https://www.w3.org/TR/mixed-content/ W3C Candidate Recommendation]
+* 2017 Q3: Release paper on HSTS Priming approach