Confirmed users
461
edits
SummerOfCode/2013/SecurityReport: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
<p><font color="red"><b>Project Title:</b> Security Report</font><hr /> | <p><font color="red"><b>Project Title:</b> Security Report</font><hr /> | ||
<br /> | <br /> | ||
<b>Goal:</b> The aim of this project is to build a Firefox add-on that provides | <b>Goal:</b> | ||
The aim of this project is to build a Firefox add-on that provides security related information (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to users in a single place. This will help users better discern malicious attempts and allow benign web developers to easily identify security issues in their production pages. | |||
<br /><br /> | <br /><br /> | ||
| Line 20: | Line 16: | ||
* June 17 - June 30 (two weeks): | * June 17 - June 30 (two weeks): | ||
Capture "error" and "warn" messages from Error Console. In particular, register event listener on | Capture "error" and "warn" messages from Error Console. In particular, register event listener on "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI". | ||
"nsIConsoleService" or listen for console-api-log-event topic of | |||
* July 1 - July 14 (two weeks): | * July 1 - July 14 (two weeks): | ||
Capture security related information | Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService", "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In | ||
addition, I will also check for absence of "http-only" field. | addition, I will also check for absence of "http-only" field. | ||
* July 15 - July 21 (one week): | * July 15 - July 21 (one week): | ||
Project discussion with the mentor and | Project discussion with the mentor and community on the design and GUI of this addon. | ||
* July 22 - August 11 (three weeks): | * July 22 - August 11 (three weeks): | ||
Validate SSL certificates, | Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate to avoid duplicate checking of SSL certificate within the same session. In particular, I will use "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc). | ||
* August 12 - August 25 (two weeks): | * August 12 - August 25 (two weeks): | ||
Integrate it in GCLI commands to | Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc. In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands. For example, "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI. The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security report user in a bubble. | ||
* August 26 - September 8 (two weeks): | * August 26 - September 8 (two weeks): | ||
Identify what are the other | Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors occurred due to CORS request, mixed content in web page, etc and display it to users. | ||
* September 9 - September 22 (two weeks): | * September 9 - September 22 (two weeks): | ||
Develop test cases and test | Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether the add-on correctly reports all supported security errors to user or not. | ||
* September 23 - September 27 (5 days): | * September 23 - September 27 (5 days): | ||
Ensure code is available on | Ensure code is available on Google Code and in the Mozilla addon repository. | ||
<hr /> | <hr /> | ||