SummerOfCode/2013/SecurityReport: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(24 intermediate revisions by the same user not shown)
Line 6: Line 6:
   users in a single place. This will help users better discern malicious attempts and allow benign  
   users in a single place. This will help users better discern malicious attempts and allow benign  
   web developers to easily identify security issues in their production pages.
   web developers to easily identify security issues in their production pages.
<br /><br />
<br />


<font color="red"><b>Developer </b></font>
<font color="red"><b>Developer </b></font>
  <hr />
  <hr />
* PATIL Kailas < patilkr24  AT  gmail  DOT  com >  
* PATIL Kailas < patilkr24  AT  gmail  DOT  com >  
<br/>
<hr>
 
<br />
<font color="red"><b>Source Code </b></font>
<hr />
* GitHub: https://github.com/patilkr/securityReportTool
<hr>


<br />
<font color="red"><b>Project Status </b></font>
<font color="red"><b>Project Status </b></font>
<hr />
<hr />
Tentative plan for Security Report tool for GSoC duration is given below:
* GitHub Status: checked in
* While working on this projects I noticed bugs in FF. I reported those bugs on Bugzilla as well developed patches for a few of them.


* June 17 - June 30 (two weeks):  
** Bugs Reported:
  Capture "error" and "warn" messages from Error Console. In particular, register event listener on
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI".
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  https://bugzilla.mozilla.org/show_bug.cgi?id=886329
  https://bugzilla.mozilla.org/show_bug.cgi?id=919568


* July 1 - July 14 (two weeks):
** Patches I wrote:
  Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService",
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In
   Status : review+
   addition, I will also check for absence of "http-only" field.


* July 15 - July 21 (one week):
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
** Project discussion with the mentor and community on the design and GUI of this add­on.
  Status: feedback+
** UI Suggestion Link (Thanks to Jesse Ruderman): https://bugzilla.mozilla.org/show_bug.cgi?id=711816
   
** The security report tool add-on is also uploaded on Mozilla Add-on Gallery and currently it is under review.
  https://addons.mozilla.org/en-US/firefox/addon/security-report-tool/
<hr>


*  July 22 - August 11 (three weeks):
<br />
  Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate
<font color="red"><b> More Info About Project</b></font><hr />
  to avoid duplicate checking of SSL certificate within the same session. In particular, I will use
Modern browsers tend to communicate with their end users on various  security aspects of their ongoing operations. Such communication clarifies certain errors and warning in web sites user visiting and warns users of potential risks such as invalid SSL certificates, unsecured cookies, etc.  However, such security information is largely dispersed at present in the browsers. To check security information of a website, users of Firefox need to search multiple data sources in the browser such as error console, cookie manager, certificate manager, etc. This hinders users from checking security related information for a website. The aim of this project is to build a Firefox add-on that provides security information about a website to advanced users in a single place.   
  "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code
   for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc).
 
* August 12 - August 25 (two weeks):
  Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc.  
  In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands.
  For example, "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI.  
  The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security 
  report user in a bubble.
 
* August 26 - September 8 (two weeks):
  Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors
  occurred due to CORS request, mixed content in web page, etc and display it to users.


*  September 9 - September 22 (two weeks):
In addition, developing a website that covers all security basis is tricky for developers. However, we believe that if web developers will get security information of their production pages at single place in browser then it will help them to fix security issues in their production pages before releasing them to users. The benefits of this project to Firefox users are thus two-fold: First, advanced users can learn about website security using this tool before deciding whether they can submit their credential to website or not. Second, web developers can use it to read security information of their production pages and identify security issues in their website.
  Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether
  the add-on correctly reports all supported security errors to user or not.


*  September 23 - September 27 (5 days):
** Ensure code is available on Google Code and in the Mozilla add­on repository.
** It is currently available publicly on [[https://github.com/patilkr/securityReportTool|GitHub repository]]: https://github.com/patilkr/securityReportTool
<br />
<br />
<hr />
<hr />
Line 69: Line 61:
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-22|July 22, 2013 - July 26, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-22|July 22, 2013 - July 26, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-29|July 29, 2013 - August 2, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-07-29|July 29, 2013 - August 2, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-05|August 05, 2013 - August 09, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-12|August 12, 2013 - August 23, 2013]] (Two Weeks)
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-08-26|August 26, 2013 - August 30, 2013]]
* September 2, 2013 to September 6, 2013: My PhD oral defense exam date scheduled in this week. So I didn't work on the project.
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-09-09|September 09, 2013 - September 13, 2013]]
* [[SummerOfCode/2013/SecurityReport/WeeklyUpdates/2013-09-16|September 16, 2013 - September 20, 2013]]
<hr />


<font color="red"><b>OUTPUT: Sample Security Reports </b></font>
<hr />
* Sample of detailed security report generated by this tool is given below for a few sample websites.
** Web Page: https://people.mozilla.org/~mgoodwin/mixed
    You can view a detailed security report for above web page at :
    http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-16-42.htm
** Web Page: https://csptest.computerist.org/
  You can view a detailed security report for above web page at :
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-40-20.htm
** Web Page: https://swl.ddns.comp.nus.edu.sg/
  You can view a detailed security report for above web page at :
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-43-30.htm
<br />
<font color="red"><b>Acknowledgement </b></font>
<hr />
<hr />
* I would like to thank all Mozilla developers for the valuable time they spent to solve difficulties I encounter while working on this project. Specially, Frederik Braun (:freddyb), Mark Goodwin (:mgoodwin), and Tanvi Vyas (:tanvi) for their continuous timely support and guidance.
* I would also like to thank people from #security, #jetpack, #developers and #devtools channel who helped me a lot while working on this project. 
<hr>
<font color="red"><b>A sample security report screenshot </b></font><br />
* A sample screenshot of a security report of a web page: https://people.mozilla.org/~mgoodwin/mixed
[[File:mixed-content-secReport.png]]
<hr>

Latest revision as of 09:25, 24 September 2013

Project Title: Security Report


Goal: 

 The aim of this project is to build a Firefox add-on that provides security related information 
 (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to 
 users in a single place. This will help users better discern malicious attempts and allow benign 
 web developers to easily identify security issues in their production pages.


Developer

  • PATIL Kailas < patilkr24 AT gmail DOT com >


Source Code


Project Status

  • GitHub Status: checked in
  • While working on this projects I noticed bugs in FF. I reported those bugs on Bugzilla as well developed patches for a few of them.
    • Bugs Reported:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  https://bugzilla.mozilla.org/show_bug.cgi?id=886329
  https://bugzilla.mozilla.org/show_bug.cgi?id=919568
    • Patches I wrote:
  https://bugzilla.mozilla.org/show_bug.cgi?id=898712
  Status : review+

  https://bugzilla.mozilla.org/show_bug.cgi?id=890224
  Status: feedback+
    • The security report tool add-on is also uploaded on Mozilla Add-on Gallery and currently it is under review.
  https://addons.mozilla.org/en-US/firefox/addon/security-report-tool/


More Info About Project

Modern browsers tend to communicate with their end users on various security aspects of their ongoing operations. Such communication clarifies certain errors and warning in web sites user visiting and warns users of potential risks such as invalid SSL certificates, unsecured cookies, etc. However, such security information is largely dispersed at present in the browsers. To check security information of a website, users of Firefox need to search multiple data sources in the browser such as error console, cookie manager, certificate manager, etc. This hinders users from checking security related information for a website. The aim of this project is to build a Firefox add-on that provides security information about a website to advanced users in a single place.

In addition, developing a website that covers all security basis is tricky for developers. However, we believe that if web developers will get security information of their production pages at single place in browser then it will help them to fix security issues in their production pages before releasing them to users. The benefits of this project to Firefox users are thus two-fold: First, advanced users can learn about website security using this tool before deciding whether they can submit their credential to website or not. Second, web developers can use it to read security information of their production pages and identify security issues in their website.


Weekly Status Updates:

OUTPUT: Sample Security Reports

  • Sample of detailed security report generated by this tool is given below for a few sample websites.
   You can view a detailed security report for above web page at : 
   http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-16-42.htm

  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-40-20.htm

  You can view a detailed security report for above web page at : 
  http://swl.ddns.comp.nus.edu.sg/secReport/securityReport--24-9-2013--10-43-30.htm



Acknowledgement

  • I would like to thank all Mozilla developers for the valuable time they spent to solve difficulties I encounter while working on this project. Specially, Frederik Braun (:freddyb), Mark Goodwin (:mgoodwin), and Tanvi Vyas (:tanvi) for their continuous timely support and guidance.
  • I would also like to thank people from #security, #jetpack, #developers and #devtools channel who helped me a lot while working on this project.

A sample security report screenshot 

Mixed-content-secReport.png
Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2013/SecurityReport&oldid=714531"