SecurityEngineering: Difference between revisions
m (→How to participate: add mmc's blog) |
|||
| Line 12: | Line 12: | ||
==How We Work== | ==How We Work== | ||
The Security Engineering team works publicly like other Mozilla engineering teams. | The Security Engineering team works publicly like other Mozilla engineering teams. | ||
Continuously, we are focused on four top-level activities: | |||
* Evangelize what we do | * Evangelize what we do | ||
* Research new Ideas | * Research new Ideas | ||
* Consult on Architecture and Design | * Consult on Architecture and Design | ||
* Implement and Deploy | * Implement and Deploy | ||
We are not always the best team to implement a given privacy or security feature, so another important role we play is to champion privacy and security features throughout the Mozilla community. | We are not always the best team to implement a given privacy or security feature, so another important role we play is to champion privacy and security features throughout the Mozilla community. | ||
| Line 39: | Line 34: | ||
| Lead: [[User:Imelven|Ian Melven]] | | Lead: [[User:Imelven|Ian Melven]] | ||
| | | | ||
|- | |||
| | |||
| Secure Communications | |||
| Lead: [[User:Bsmith|Brian Smith]] | |||
| We want to make sure you get what you ask for, so we're hardening our SSL/TLS stack (and [[CA]] program), rolling out [https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ Mixed Content blocking], and developing a [http://www.w3.org/2012/webcrypto/ Web Crypto API] to help sites lock down messaging. | |||
|} | |} | ||
Revision as of 16:22, 7 June 2013
Security Engineering
Our team is tasked with building secure operation and user sovereignty into the web platform and also leveraging the open web to bring these attributes to more environments. We focus hard on ways to improve the privacy and security of all web users, in a Mozilla way that engages the community in our design and implementation decisions. These priorities are reflected in the Privacy and Security roadmaps this team manages, public evangelism and participation in relevant standards bodies to maximize adoption of new privacy & security mechanisms.
The open web is powerful; the huge number of people working on web standards and software is astonishing, and the rapid advancement of new businesses and technologies online magnifies the need for advances in mechanisms that enable secure systems and users' control over their presence online.
Who is involved
Security Engineering is led by Sid Stamm, and mainly driven by Monica Chew, David Dahl, Meadhbh Hamrick, David Keeler, Ian Melven, Garrett Robinson, Brian Smith, Camilo Viecco, Tanvi Vyas, and Kathleen Wilson. But our team isn't limited to these people -- there are many others out there in the community who help us accomplish more than we can alone, and we thrive on their passion, interest and help.
How We Work
The Security Engineering team works publicly like other Mozilla engineering teams. Continuously, we are focused on four top-level activities:
- Evangelize what we do
- Research new Ideas
- Consult on Architecture and Design
- Implement and Deploy
We are not always the best team to implement a given privacy or security feature, so another important role we play is to champion privacy and security features throughout the Mozilla community.
Current major efforts:
|
Contextual Identity | Lead: Monica Chew | Many people have multiple "me"s depending on their activity. We want to understand how people think about their identities and help them manage 'em. Current projects include: Blushproof. |
|
Sandboxing | Lead: Ian Melven | |
| Secure Communications | Lead: Brian Smith | We want to make sure you get what you ask for, so we're hardening our SSL/TLS stack (and CA program), rolling out Mixed Content blocking, and developing a Web Crypto API to help sites lock down messaging. |
Some recent highlights:
- Click to Play Plugins (See bug 738698)
- CA Certificate Policy version 2.1
crypto.getRandomValues(See bug 440046)- Mixed content blocking (See bug 815321)
How to participate
Discuss: We hang out on #security on irc.mozilla.org, and our primary mailing list is mozilla.dev.security. Milestone reviews and other meetings will be announced on mozilla.dev.security.
Follow our work: To see our current progress against features please see our blogs: Sid's, Tanvi's, Ian's, Monica's, and the Mozilla Security Blog. Also, feel free to take a peek at our roadmaps: Privacy Roadmap & Security Roadmap. Our weekly meeting notes for previous meetings are located here: SecurityEngineering/MeetingNotes
Contribute: Wanna pitch in, maybe do a project? Check out SecurityEngineering/Projects or the good first bugs list and if one interests you, contact us!
Experimental Things
From time to time we make add-ons to try out experimental features. Here are a few; let us know what you think!
- Force-TLS (get the code)
- User CSP
Security Bugs
If you've found a security bug please see http://www.mozilla.org/security/#For_Developers