SummerOfCode/2013/SecurityReport: Difference between revisions

Jump to navigation Jump to search

SummerOfCode/2013/SecurityReport (view source)

Revision as of 10:46, 28 May 2013

50 bytes added ,  28 May 2013
no edit summary
No edit summary
No edit summary
Line 2: Line 2:
<br />
<br />
<b>Goal:</b>   
<b>Goal:</b>   
   The aim of this project is to build a Firefox add-on that provides security related information (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to users in a single place. This will help users better discern malicious attempts and allow benign web developers to easily identify security issues in their production pages.
   The aim of this project is to build a Firefox add-on that provides security related information  
  (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to  
  users in a single place. This will help users better discern malicious attempts and allow benign  
  web developers to easily identify security issues in their production pages.
<br /><br />
<br /><br />


Line 16: Line 19:


* June 17 - June 30 (two weeks):  
* June 17 - June 30 (two weeks):  
   Capture "error" and "warn" messages from Error Console. In particular, register event listener on  "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI".
   Capture "error" and "warn" messages from Error Console. In particular, register event listener on  
   "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI".


*  July 1 - July 14 (two weeks):   
*  July 1 - July 14 (two weeks):   
   Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService", "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In
   Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService",  
  addition, I will also check for absence of "http-only" field.
  "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In
  addition, I will also check for absence of "http-only" field.


*  July 15 - July 21 (one week):  
*  July 15 - July 21 (one week):  
  Project discussion with the mentor and community on the design and GUI of this add­on.
  Project discussion with the mentor and community on the design and GUI of this add­on.


*  July 22 - August 11 (three weeks):  
*  July 22 - August 11 (three weeks):  
   Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate to avoid duplicate checking of SSL certificate within the same session. In particular, I will use "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc).
   Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate  
  to avoid duplicate checking of SSL certificate within the same session. In particular, I will use  
  "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code  
  for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc).


*  August 12 - August 25 (two weeks):  
*  August 12 - August 25 (two weeks):  
  Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc. In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands. For example,  "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI. The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security report user in a bubble.
  Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc.  
  In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands.  
  For example,  "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI.  
  The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security  
  report user in a bubble.


*  August 26 - September 8 (two weeks):  
*  August 26 - September 8 (two weeks):  
   Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors occurred due to CORS request, mixed content in web page, etc and display it to users.
   Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors
  occurred due to CORS request, mixed content in web page, etc and display it to users.


*  September 9 - September 22 (two weeks):  
*  September 9 - September 22 (two weeks):  
   Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether the add-on correctly reports all supported security errors to user or not.
   Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether  
  the add-on correctly reports all supported security errors to user or not.


*  September 23 - September 27 (5 days):  
*  September 23 - September 27 (5 days):  
Patilkr
Confirmed users
461

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/660874"

Navigation menu