Confirm
529
edits
Changes
→Project Ideas (non-definitive)
Mozilla advisors will be available weekly on video (Vidyo, Google Hangout or Skype) to discuss progress and roadblocks, and provide help. Professors can set intermediary deadlines if needed, and have complete control over the grading of their students.
== Project Ideas (non-definitive) Projects ===== A Firefox addon for TLS observations ===Proposed by: ulfr Monitoring TLS certificates and ciphersuites requires deploying scanners in various locations. Would it be possible to write an addon that lets users subscribe to a scanning queue and participate in the scanning effort?
=== A web interface for Mozilla Investigator ===
MIG is primarily a command line tool, but a web interface would be a nice addition for people who just want to visualize results. This project would require changes to the backend API of MIG to handle various permissions levels, as well as a good knowledge of javascript to write the frontend.
=== ZAP: Field Enumeration ===
This would allow a user to iterate though a set of (user defined) characters in order to identify the ones that are filtered out and/or escaped.
=== ZAP: Form Handling ===
The ZAP traditional and Ajax spiders explore an application by putting basic default values in all forms. These may often not be valid values, for example using "ZAP" when an email address is required.
=== ZAP: Automated authentication detection and configuration ===
ZAP has extensive support for supporting application authentication, but configuring this is a manual process which can be tricky to get right.
The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.
=== Plug'n'hack: Support for e10s ===
* Mentors: [https://mozillians.org/en-US/u/mgoodwin/ Mark Goodwin], [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts]
=== NSS Demos ===
Using the [https://nss-crypto.org/ NSS] library in your own project isn't the easiest job to do.
=== The NSS TLS Server ===
The TLS stack in [https://nss-crypto.org/ NSS] provides basic support for TLS servers such as [https://fedorahosted.org/mod_nss/].
=== SHA-3 Implementation in NSS ===
[https://en.wikipedia.org/wiki/SHA-3 SHA-3] is a new cryptographic hash functions.
=== Formal Verification of NSS ===
This project should formally verify implementations (or parts of) of e.g. ciphers, the TLS protocol, libmpi, libec in the [https://nss-crypto.org/ NSS] library.
=== NSS TLS Interop ===
This project should ensure [https://nss-crypto.org/ NSS]' TLS implementation interoperates with that of other crypto libraries like [https://openssl.org/ OpenSSL]. It should also automate interoperability testing to integrate with our CI.
=== ssh_scan: Improving Scalability and Feature Set ===
This project would work on improving the scalability and feature set of ssh_scan, a tool for scanning for ssh policy and compliance (mainly attributes found here https://github.com/claudijd/ssh_scan/blob/master/examples/192.168.1.1.json). This tool is currently open-sourced as more of a prototype tool here (https://github.com/claudijd/ssh_scan). Current feature gaps include the ability to detect the types of authentication (password/key-based/auth), nmap-style targeting and scanning, and IPv6 support. Lastly, it might be useful to have some server-side infrastructure components/API developed for this service with a cool front end to assist with scanning/compliance automation. These are the sorts of things this project team would attempt to solve and deliver during the project window.
=== New Idea Template Security Testing Workflow and Toolchain for Python Websites and Services ===Proposed by* Mentors: [https://mozillians.org/en-US/u/amuntner/ Adam Muntner] Manual security reviews are time consuming, expensive, and important for the most critical websites and services.By documenting testing goals, trying to best approximate them, and measuring, we can create an efficient, reusable workflow with known properties and a plan to improve it in the future, a Maturity Model approach.The goal of this project is to use Maturity Model approach to create a reusable workflow and toolkit for manual "grey-box" security review of Python websites and services.descriptionWe will create a maturity model that describes the target capabilities of an ideal reusable "grey box" workflow documentation and toolkit, create one that can be dropped in to an existing test environment such as a Docker and used with minimal configuration, document what works and what's missing according to the Maturity Model, and create a roadmap for future work.We will script integration of existing tools and methods to create a reusable test harness that reports testing coverage and supports remote debugging, automate setup to use an IDE to remote debug an application while testing it with Zap proxy, identify the best ways to test for Python-specific issues, make the IDE as tester-friendly as possible, use Python AST visualization to visualize security decisions in code, and making the toolkit as quick to deploy and use as possible, etc.We'll use the toolkit to evaluate complex real-world services like Mozilla Addons.
== FAQ ==
