August 23, 2013, 12:49 AM — Mozilla is developing a protocol that aims to let security tools and Web browsers work better together.
Configuring a web browser to work with a security tool involves writing platform and browser-specific extensions, a non-trivial process that discourages people with less experience, wrote Simon Bennetts, a security automation engineer with Mozilla, on Thursday.
The proposed standard, called "Plug-n-Hack," will define how security extensions can work with a browser in a more usable way, Bennetts wrote. PnH will allow the security tool to "declare the functionality that they support which is suitable for invoking directly from the browser."
Under the current arrangement, if a user wants to, for example, intercept HTTPS traffic, a user must configure proxy connections through the tool and browser correctly and import the tool's SSL (Secure Sockets Layer) certificate, Bennetts wrote.
"If any of these steps are carried out incorrectly then the browser will typically fail to connect to any website -- debugging such problems can be frustrating and time-consuming," Bennetts wrote.
Users may also have to switch often between the tool and their browser to intercept an HTTPS request.
"PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser," Bennets wrote. "A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool."
The PnH protocol is being designed to be browser and tool independent. The implementation for Firefox has been released under the Mozilla Public License 2.0 and can be incorporated into commercial products for free, Bennetts wrote.
The next phase of the project is being planned, but it is expected it will allow browsers to "advertise their capabilities to security tools," he wrote.
"This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool," Bennetts wrote.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk