Personal tools

SummerOfCode/2013/SecurityReport

From MozillaWiki

Jump to: navigation, search

Project Title: Security Report



Goal:

 The aim of this project is to build a Firefox add-on that provides security related information 
 (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to 
 users in a single place. This will help users better discern malicious attempts and allow benign 
 web developers to easily identify security issues in their production pages.


Developer


  • PATIL Kailas < patilkr24 AT gmail DOT com >


Source Code




Project Status


  • GitHub Status: checked in
  • While working on this projects I noticed bugs in FF. I reported those bugs on Bugzilla as well developed patches for a few of them.
    • Bugs Reported:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  https://bugzilla.mozilla.org/show_bug.cgi?id=886329
  https://bugzilla.mozilla.org/show_bug.cgi?id=919568
    • Patches I wrote:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  Status : review+
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  Status: feedback+

    • The security report tool add-on is also uploaded on Mozilla Add-on Gallery and currently it is under review.
  https://addons.mozilla.org/en-US/firefox/addon/security-report-tool/


More Info About Project

Modern browsers tend to communicate with their end users on various security aspects of their ongoing operations. Such communication clarifies certain errors and warning in web sites user visiting and warns users of potential risks such as invalid SSL certificates, unsecured cookies, etc. However, such security information is largely dispersed at present in the browsers. To check security information of a website, users of Firefox need to search multiple data sources in the browser such as error console, cookie manager, certificate manager, etc. This hinders users from checking security related information for a website. The aim of this project is to build a Firefox add-on that provides security information about a website to advanced users in a single place.

In addition, developing a website that covers all security basis is tricky for developers. However, we believe that if web developers will get security information of their production pages at single place in browser then it will help them to fix security issues in their production pages before releasing them to users. The benefits of this project to Firefox users are thus two-fold: First, advanced users can learn about website security using this tool before deciding whether they can submit their credential to website or not. Second, web developers can use it to read security information of their production pages and identify security issues in their website.



Weekly Status Updates:


OUTPUT: Sample Security Reports


  • Sample of detailed security report generated by this tool is given below for a few sample websites.
   You can view a detailed security report for above web page at : 
   http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-16-42.htm
  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-40-20.htm
  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-43-30.htm



Acknowledgement


  • I would like to thank all Mozilla developers for the valuable time they spent to solve difficulties I encounter while working on this project. Specially, Frederik Braun (:freddyb), Mark Goodwin (:mgoodwin), and Tanvi Vyas (:tanvi) for their continuous timely support and guidance.
  • I would also like to thank people from #security, #jetpack, #developers and #devtools channel who helped me a lot while working on this project.

A sample security report screenshot

Mixed-content-secReport.png