Intelligent security advisor for Mozilla Firefox
Client/Customer - Asiakas
Tanvi Vyas - Security & Privacy Engineering (tanvi@mozilla.com), Mozilla Corporation, Sameer Patil / HIIT (sameer.patil@hiit.fi)
Description of Work - Työn kuvaus
Background
Entering passwords for logging into sites is a common online activity. However, sometimes these passwords are on plaintext pages or get submitted insecurely (i.e., in plaintext over an insecure connection) . Insecure submission can happen even when the page that displays the password field is itself secure and uses SSL. However, users typically do not have an obvious way of knowing when a password will be submitted insecurely. The goal of this project is to tackle this problem.
Task
This project involves building an add-on for the Firefox Web browser that explores various user interface and interaction mechanisms for detecting insecure password fields and conveying this information to the user in an intuitive, understandable, non-intrusive, and effective way. The add-on will also include the ability to discover and redirect to a secure SSL version of the login page (if one exists). It is desirable that the add-on function in multiple languages (or at least be built so that Internationalization is easily possible). The add-on should provide the ability for users to customize its operation based on their preferences. Customization also has the benefit of adding resiliency against phishing of the default UI.
Since there isn't a single effective way for achieving this objective, the purpose of the add-on is two-fold:
- explore the design space of ideas for interfaces/interactions for warning about insecure password fields (some examples include icons/indicators, warning message overlays, field disabling and so on), and
- implement 3-4 of the most promising design ideas as part of the add-on with ability to easily switch between them. This will allow Mozilla to use the add-on to conduct field-tests of the designs with actual users.
For example; for HTTPS status, if a document is served over HTTPS but scripts are not, this is a) not best practice and b) negates the purpose of serving the document over HTTPS in the first place.
Depending on progress, there is also possibility for extending the add-on with other password related features like a "fat finger helper" to help detect mistyped passwords.
Choose this project if you
- Want to have a real world impact! Your add-on (or a further polished version) of it will likely be made available for download and be potentially used by users all over the world. Depending on success of user experience evaluation, features of the add-on may even get incorporated in the Firefox browser.
- Want to help scientific research. - The add-on will be used for conducting users studies that can shed light on how to enhance user security and privacy in a usable way. The results of these studies are expected to lead to scientific publications.
- Want to gain practical experience with open source software and Firefox add-on development. - You will be working directly with Mozilla. This project is part of Mozilla's commitment to building mentorship relationships with university students. So you can expect direct mentorship and involvement from Mozilla folks.
Operational context - Toteutusympäristö
Firefox Add-on using Javascript and the Jetpack Add-on SDK.
Special requirements - erityisvaatimukset
Javascript/Ajax/HTML/CSS. Experience with Firefox add-on development and HTML 5 is a plus but not necessary.
Intellectual Property Rights - Immateriaalioikeudet
The project should be subject to the terms of the Mozilla Public License, v 2.0.