Mozilla Implements Security Tool Standard

Monday, August 26, 2013 @ 05:08 PM gHale


Mozilla’s security team is in the process of developing a new standard that will make it easier for researchers to integrate some of their tools with Firefox and other browsers.

The standard, known as Plug-n-Hack (PnH), is an open project that Mozilla hopes researchers and tool makers will adopt.

RELATED STORIES
Chrome 29 Fixes 25 Bugs
Mozilla Fixes Firefox Security Bugs
Apple Patches OS X, Safari Bugs
Security Fixes for Chrome 27

Security research occurs via the browser and integrating custom testing tools with various browsers can be a time-consuming task. So the Mozilla team was looking for a way to make this process simpler and faster.

“Without integration between security tools and browsers, a user must often switch between the tool and their browser several times to perform a simple task, such as intercepting an HTTP(S) request. PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser,” said Simon Bennetts of Mozilla in a blog post.

“A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool. While some of the PnH capabilities do have a fixed meaning, particularly around proxy configuration, most of the capabilities are completely generic, allowing tools to expose whatever functionality they want.”

The current version of the Plug-n-Hack protocol is in Firefox, but Bennetts said they hope other browser vendors and security researchers will incorporate it into their tools and applications. The protocol already integrated into the OWASP Zed Attack Proxy, a pen-testing framework.

“The next phase of PnH is still being planned but is intended to allow browsers to advertise their capabilities to security tools. This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool,” Bennetts said.

“While this project has been started by the Mozilla Security Team and has been validated with Firefox and OWASP ZAP, this is an open project and we welcome involvement from anyone, especially people working on other browsers and security tools.”



Leave a Reply

You must be logged in to post a comment.