At the end of last May, Mozilla sponsored the HackWEEKDAY contest at the third annual Hack In the Box conference in the Netherlands. The contest ran alongside the rest of the HITB conference which featured
presentations on security topics including new iPhone jailbreaks and a second day key note from Bruce Schneier.
Lucas Adamski and myself travelled from San Francisco to Amsterdam where we met up with Christian Holler and Frederik Braun, a former Mozilla security intern. Both Christian and Freddy are based in Germany, so it was good to be able to and catch up with them in Europe and hear about Christian’s current projects and Freddy’s Masters degree research on web browser security.
The HackWEEKDAY contest goal was pretty simple : write an Firefox add-on related to security. The contest had previously been run at an earlier HITB conference in Malaysia, where Gary Kwong was Mozilla’s representative. I made sure to talk to Gary before leaving for the conference and got some great insights into what to expect. Additionally, I took his suggestion to bring along lots of Firefox swag! The prize to be awarded for creating the best add-on, judged by a panel of Mozilla and HITB representatives, was 1337 euros.
HITB’s Youri van de Zwart and Dirk Van Veen did an excellent job preparing for the contest. The contestants had a great space in which to hack, their own wireless network separate from the main conference, and a SVN server for their code.
The contest took place over two days, with a six hour hacking session each day. The Mozilla representatives (including myself) attended to help brainstorm project ideas and to aid with add on development. For many of the contestants, HackWEEKDAY was their first exposure to writing a Firefox add-on.
The participants ended up forming into four teams and working on four different Firefox addons :
* Sernin van de Krol and Sander Kerkdijk created an addon to prevent password reuse. It alerts when a user creates an account using a password that they have previously already used and saved in Firefox’s password manager. It also highlights when a user attempts to reuse a password on a site with an HTTPS login page that has already been saved for a site with an HTTP login page, since that password could have easily been passively intercepted.
* Vianney Darmaillacq and Klaus de Graaf built an addon to integrate GPG with Firefox to make it easier for users to encrypt and decrypt text in the browser. The user can select a piece of text in Firefox, right-click and choose to encrypt. The data is passed to GPG via running it in a shell and then the encrypted text is copied to the clipboard for ease of pasting into an email or something similar. Similarly, the user can highlight encrypted text, choose “decrypt” and the plain text will be pasted to the clipboard after GPG has decrypted it.
* Paul Hooijenga also focused on password reuse. His addon took a different approach to the other project : it checks currently saved passwords to see if there are duplicates and alerts if so. Additionally, it also uses a publically available blacklist of sites that store passwords unencrypted and warns if a password used on one of those sites is reused elsewhere.
* Pieter Vlasblom and Erik Kooistra made an addon to automatically verify hashes of files that the user downloads. When a file is being downloaded, the addon looks for a file in the same directory on the server with the same name and an .md5 or .sha1 extension. It then tries to download those hashes, preferring SSL and falling back to HTTP if necessary. The SHA1 hash is preferred to the MD5 hash if both exist. A message to the user is displayed unobtrusively if the verification succeeded, but if the hash exists and does not match the computed hash for the download file, the file is deleted and a warning displayed.
After some serious debate, it was decided that the winner was Pieter and Erik’s hash checking addon. The panel discussed the fundamental bootstrapping problem with checking hashes during the judging – eg. if the hash is downloaded over HTTP, it can’t be trusted. Likewise, if the page containing the links to the download and its hash are accessed over HTTP, those links can’t be trusted, even if they are HTTPS links, and so on and so on. Since the addon was something most users could immediately use, adding security transparently without requiring users to make a security decision, the panel still felt this was the best project, although all of the addons submitted were quite good and had their advocates. The winning team was presented with their prize by Lucas and Dirk during the closing ceremonies of the conference.
To close on a more personal note, I really enjoyed the whole experience – it was particularly interesting to me to finally attend a security conference in Europe and to be able to compare and contrast the experience against the many conferences I have attended in North America. I also got a chance to do a brief demo of B2G for the contestants, Christian spoke about his adbfuzz framework and gave a brief demo, and Lucas chatted with many folks interested in what Mozilla is doing at the moment, both related and unrelated to security. The conference and contest was a great opportunity for us to connect with the larger security community in person, and I’m very thankful I got to be a part of it !