SummerOfCode/2013/SecurityReport: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(38 intermediate revisions by the same user not shown)
Line 1: Line 1:
<p><font color="red"><b>Project Title:</b> User Specified Content Security Policy</font><hr />
<p><font color="red"><b>Project Title:</b> Security Report</font><hr />
<br />
<b>Goal:</b> 
  The aim of this project is to build a Firefox add-on that provides security related information
  (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to
  users in a single place. This will help users better discern malicious attempts and allow benign
  web developers to easily identify security issues in their production pages.
<br />
<br />
<b>Goal:</b> The goal of this project is to allow savvy users to be able to voluntarily specify their own CSP policies for websites that have not implemented CSP policies. And automatically infer CSP policies for frequently visited websites if neither user nor web site publisher specify the CSP policy.
<br /><br />


<font color="red"><b>Developer </b></font>
<font color="red"><b>Developer </b></font>
  <hr />
  <hr />
* PATIL Kailas < patilkr24  AT  gmail  DOT  com >  
* PATIL Kailas < patilkr24  AT  gmail  DOT  com >  
<br/>
<hr>
<br />
<font color="red"><b>Source Code </b></font>
<hr />
* GitHub: https://github.com/patilkr/securityReportTool
<hr>
 
<br />
<font color="red"><b>Project Status </b></font>
<hr />
* GitHub Status: checked in
* While working on this projects I noticed bugs in FF. I reported those bugs on Bugzilla as well developed patches for a few of them.
 
** Bugs Reported:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  https://bugzilla.mozilla.org/show_bug.cgi?id=886329
  https://bugzilla.mozilla.org/show_bug.cgi?id=919568
 
** Patches I wrote:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  Status : review+
 
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  Status: feedback+
** The security report tool add-on is also uploaded on Mozilla Add-on Gallery and currently it is under review.
  https://addons.mozilla.org/en-US/firefox/addon/security-report-tool/
<hr>


<font color="red"><b>Project Wiki </b></font>
<hr />
[[SummerOfCode/2012/UserCSP/Wiki|WikiPage]]
<br />
<br />
<font color="red"><b> More Info About Project</b></font><hr />
Modern browsers tend to communicate with their end users on various  security aspects of their ongoing operations. Such communication clarifies certain errors and warning in web sites user visiting and warns users of potential risks such as invalid SSL certificates, unsecured cookies, etc.  However, such security information is largely dispersed at present in the browsers. To check security information of a website, users of Firefox need to search multiple data sources in the browser such as error console, cookie manager, certificate manager, etc. This hinders users from checking security related information for a website. The aim of this project is to build a Firefox add-on that provides security information about a website to advanced users in a single place. 


<font color="red"><b>Project Status </b></font>
In addition, developing a website that covers all security basis is tricky for developers. However, we believe that if web developers will get security information of their production pages at single place in browser then it will help them to fix security issues in their production pages before releasing them to users. The benefits of this project to Firefox users are thus two-fold: First, advanced users can learn about website security using this tool before deciding whether they can submit their credential to website or not. Second, web developers can use it to read security information of their production pages and identify security issues in their website.
 
<br />
<hr />
<hr />
Schedule of userCSP project deliverable:


* June 17 - June 30 (two weeks):  
<b>Weekly Status Updates: </b> <br />
  Capture "error" and "warn" messages from Error Console. In particular, register event listener on
  "nsIConsoleService" or listen for console-api-log-event topic of
  "consoleAPI".


* July 1 - July 14 (two weeks)
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-03|June 3, 2013 - June 7, 2013]]
  Capture security related information
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-10|June 10, 2013 - June 14, 2013]]
  about cookie. In particular, I will use "nsICookie2",
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-17|June 17, 2013 - June 21, 2013]]
  "nsICookieService", "nsICookieManager2" APIs to get access to
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-06-24|June 24, 2013 - June 28, 2013]]
  cookies and check whether website set cookies as secure or not. In
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-01|July 1, 2013 - July 5, 2013]]
  addition, I will also check for absence of "http-only" field.
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-08|July 8, 2013 - July 12, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-15|July 15, 2013 - July 19, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-22|July 22, 2013 - July 26, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-29|July 29, 2013 - August 2, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-05|August 05, 2013 - August 09, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-12|August 12, 2013 - August 23, 2013]] (Two Weeks)
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-26|August 26, 2013 - August 30, 2013]]
* September 2, 2013 to September 6, 2013: My PhD oral defense exam date scheduled in this week. So I didn't work on the project.
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-09-09|September 09, 2013 - September 13, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-09-16|September 16, 2013 - September 20, 2013]]
<hr />


*  July 15 - July 21 (one week):  
<font color="red"><b>OUTPUT: Sample Security Reports </b></font>
  Project discussion with the mentor and
<hr />
  community on the design and GUI of this add­on.
* Sample of detailed security report generated by this tool is given below for a few sample websites.  


* July 22 - August 11 (three weeks):  
** Web Page: https://people.mozilla.org/~mgoodwin/mixed
  Validate SSL certificates,
    You can view a detailed security report for above web page at :
  session wise (for each browser session) maintain a whitelist of good
    http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-16-42.htm
  SSL certificate to avoid duplicate checking of SSL certificate
  within the same session. In particular, I will use
  "nsISSLStatusProvider" API to get SSL certificate details. The
  "nsIX509Cert" API to compare various status code for SSL certificate
  (such as, CERT_REVOKED, CERT_EXPIRED, etc).


* August 12 - August 25 (two weeks):  
** Web Page: https://csptest.computerist.org/
  Integrate it in GCLI commands to
  You can view a detailed security report for above web page at :
  invoke/show add-on UI, display security errors, hide add-on UI, etc.
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-40-20.htm
  In particular, I will import "gcli.jsm" library from devtools and
  use "addCommand" method to add GCLI commands. For example,
  "security-report[showUI, hideUI, print]". The "security-report
  showUI" command will display add-on UI. The "security-report hideUI"
  command hides add-on UI. The "security-report print" command
  displays only security report user in a bubble.


* August 26 - September 8 (two weeks):  
** Web Page: https://swl.ddns.comp.nus.edu.sg/
   Identify what are the other
   You can view a detailed security report for above web page at :
  types of errors (such as CORS, mixed content). In particular, detect
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-43-30.htm
  security errors occurred due to CORS request, mixed content in web
  page, etc and display it to users.


*  September 9 - September 22 (two weeks):
  Develop test cases and test
  add-on with a few websites that contain security errors. In
  particular, check whether the add-on correctly reports all supported
  security errors to user or not.


*  September 23 - September 27 (5 days):
<br />
  Ensure code is available on
<font color="red"><b>Acknowledgement </b></font>
  Google Code and in the Mozilla add­on repository.
<hr />


<hr />
* I would like to thank all Mozilla developers for the valuable time they spent to solve difficulties I encounter while working on this project. Specially, Frederik Braun (:freddyb), Mark Goodwin (:mgoodwin), and Tanvi Vyas (:tanvi) for their continuous timely support and guidance.
<b>Weekly Status Updates: </b> <br />
 
* I would also like to thank people from #security, #jetpack, #developers and #devtools channel who helped me a lot while working on this project. 
<hr>


* [[SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-04-23|April 23, 2012]]
<font color="red"><b>A sample security report screenshot </b></font><br />
* A sample screenshot of a security report of a web page: https://people.mozilla.org/~mgoodwin/mixed


[[File:mixed-content-secReport.png]]


<hr />
<hr>

Latest revision as of 09:25, 24 September 2013

Project Title: Security Report


Goal: 

 The aim of this project is to build a Firefox add-on that provides security related information 
 (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to 
 users in a single place. This will help users better discern malicious attempts and allow benign 
 web developers to easily identify security issues in their production pages.


Developer

  • PATIL Kailas < patilkr24 AT gmail DOT com >


Source Code


Project Status

  • GitHub Status: checked in
  • While working on this projects I noticed bugs in FF. I reported those bugs on Bugzilla as well developed patches for a few of them.
    • Bugs Reported:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  https://bugzilla.mozilla.org/show_bug.cgi?id=886329
  https://bugzilla.mozilla.org/show_bug.cgi?id=919568
    • Patches I wrote:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  Status : review+

  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  Status: feedback+
    • The security report tool add-on is also uploaded on Mozilla Add-on Gallery and currently it is under review.
  https://addons.mozilla.org/en-US/firefox/addon/security-report-tool/


More Info About Project

Modern browsers tend to communicate with their end users on various security aspects of their ongoing operations. Such communication clarifies certain errors and warning in web sites user visiting and warns users of potential risks such as invalid SSL certificates, unsecured cookies, etc. However, such security information is largely dispersed at present in the browsers. To check security information of a website, users of Firefox need to search multiple data sources in the browser such as error console, cookie manager, certificate manager, etc. This hinders users from checking security related information for a website. The aim of this project is to build a Firefox add-on that provides security information about a website to advanced users in a single place.

In addition, developing a website that covers all security basis is tricky for developers. However, we believe that if web developers will get security information of their production pages at single place in browser then it will help them to fix security issues in their production pages before releasing them to users. The benefits of this project to Firefox users are thus two-fold: First, advanced users can learn about website security using this tool before deciding whether they can submit their credential to website or not. Second, web developers can use it to read security information of their production pages and identify security issues in their website.


Weekly Status Updates:

OUTPUT: Sample Security Reports

  • Sample of detailed security report generated by this tool is given below for a few sample websites.
   You can view a detailed security report for above web page at : 
   http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-16-42.htm

  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-40-20.htm

  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-43-30.htm



Acknowledgement

  • I would like to thank all Mozilla developers for the valuable time they spent to solve difficulties I encounter while working on this project. Specially, Frederik Braun (:freddyb), Mark Goodwin (:mgoodwin), and Tanvi Vyas (:tanvi) for their continuous timely support and guidance.
  • I would also like to thank people from #security, #jetpack, #developers and #devtools channel who helped me a lot while working on this project.

A sample security report screenshot 

Mixed-content-secReport.png
Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2013/SecurityReport&oldid=714531"