SummerOfCode/2013/SecurityReport

Project Title: Security Report

Goal:

 The aim of this project is to build a Firefox add-on that provides security related information 
 (such as SSL certificate errors, CSP violation reports, non-secure cookies, etc) of a website to 
 users in a single place. This will help users better discern malicious attempts and allow benign 
 web developers to easily identify security issues in their production pages.

Developer

• PATIL Kailas < patilkr24 AT gmail DOT com >

Project Status

Tentative plan for Security Report tool for GSoC duration is given below:

• June 17 - June 30 (two weeks):

 Capture "error" and "warn" messages from Error Console. In particular, register event listener on 
 "nsIConsoleService" or listen for console-api-log-event topic of "consoleAPI".

• July 1 - July 14 (two weeks):

 Capture security related information about cookie. In particular, I will use "nsICookie2", "nsICookieService", 
 "nsICookieManager2" APIs to get access to cookies and check whether website set cookies as secure or not. In
  addition, I will also check for absence of "http-only" field.

• July 15 - July 21 (one week):

  Project discussion with the mentor and community on the design and GUI of this add­on.

• • UI Suggestion Link (Thanks to Jesse Ruderman): https://bugzilla.mozilla.org/show_bug.cgi?id=711816

• July 22 - August 11 (three weeks):

 Validate SSL certificates, session wise (for each browser session) maintain a whitelist of good SSL certificate 
 to avoid duplicate checking of SSL certificate within the same session. In particular, I will use 
 "nsISSLStatusProvider" API to get SSL certificate details. The "nsIX509Cert" API to compare various status code 
 for SSL certificate (such as, CERT_REVOKED, CERT_EXPIRED, etc).

• August 12 - August 25 (two weeks):

  Integrate it in GCLI commands to invoke/show add-on UI, display security errors, hide add-on UI, etc. 
  In particular, I will import "gcli.jsm" library from devtools and use "addCommand" method to add GCLI commands. 
  For example,  "security-report[showUI, hideUI, print]". The "security-report showUI" command will display add-on UI. 
  The "security-report hideUI" command hides add-on UI. The "security-report print" command displays only security   
  report user in a bubble.

• August 26 - September 8 (two weeks):

  Identify what are the other types of errors (such as CORS, mixed content). In particular, detect security errors
  occurred due to CORS request, mixed content in web page, etc and display it to users.

• September 9 - September 22 (two weeks):

  Develop test cases and test add-on with a few websites that contain security errors. In particular, check whether 
  the add-on correctly reports all supported security errors to user or not.

• September 23 - September 27 (5 days):

  Ensure code is available on Google Code and in the Mozilla add­on repository. It is currently available publicly on [repository]: https://github.com/patilkr/securityReportTool

Weekly Status Updates:

• June 3, 2013 - June 7, 2013
• June 10, 2013 - June 14, 2013
• June 17, 2013 - June 21, 2013