canmove, Confirmed users
1,220
edits
SecurityEngineering/Newsletter: Difference between revisions
Update for q1 2017 (dump from google doc)
(→Content Security: add require-sri-for) |
Ptheriault (talk | contribs) (Update for q1 2017 (dump from google doc)) |
||
| Line 1: | Line 1: | ||
= | =Overview= | ||
Q4’16 was a period of significant change for the security engineering org at Mozilla. Further consolidating the team additions from Q2, security engineering is now united under Selena Deckelmann and reporting into the Firefox team. While our focus continues to cover both front-end and platform, the shift in org is helping to improve ties with the Firefox team and is already bringing results increased collaboration. | Q4’16 was a period of significant change for the security engineering org at Mozilla. Further consolidating the team additions from Q2, security engineering is now united under Selena Deckelmann and reporting into the Firefox team. While our focus continues to cover both front-end and platform, the shift in org is helping to improve ties with the Firefox team and is already bringing results increased collaboration. | ||
Q4 was largely heads down making progress on multi-quarter projects but there are some important milestones to point out: | |||
Q4 was largely heads down making progress on multi-quarter projects but there are some important milestones to point out: | |||
* Shipped SHA-1 deprecation options in FF51 | * Shipped SHA-1 deprecation options in FF51 | ||
| Line 39: | Line 41: | ||
* Content Security Policy | * Content Security Policy | ||
** “strict-dynamic” implemented in Firefox 52, new feature in CSP to aid developers in adoption and creation of effective policies | ** “strict-dynamic” implemented in Firefox 52, new feature in CSP to aid developers in adoption and creation of effective policies | ||
* Sandbox Hardening | * Sandbox Hardening | ||
** Initial audit of Message Manager and IPDL protocols, work continuing in Q1 | ** Initial audit of Message Manager and IPDL protocols, work continuing in Q1 | ||
| Line 49: | Line 50: | ||
** Landed support for Safebrowsing V4 (pref’d off) in FF53 | ** Landed support for Safebrowsing V4 (pref’d off) in FF53 | ||
** On target for switching to V4 support by default in 2017 | ** On target for switching to V4 support by default in 2017 | ||
==Fuzzing== | ==Fuzzing== | ||
| Line 70: | Line 69: | ||
* CA Program | * CA Program | ||
** Over 2600[https://wiki.mozilla.org/CA:SubordinateCAcerts intermediate certificates] disclosed in the [https://wiki.mozilla.org/CA:CommonCADatabase Common CA Database]; over 230 [https://wiki.mozilla.org/CA:RevokedSubCAcerts revoked intermediate certificates] added to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] | ** Over 2600[https://wiki.mozilla.org/CA:SubordinateCAcerts intermediate certificates] disclosed in the [https://wiki.mozilla.org/CA:CommonCADatabase Common CA Database]; over 230 [https://wiki.mozilla.org/CA:RevokedSubCAcerts revoked intermediate certificates] added to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] | ||
= Prior Editions = | |||
* [[SecurityEngineering/Newsletter/2016Q4|2016 Q4]] | |||