Plug-n-Hack - Archive of obsolete content

Overview

Plug-n-Hack (PnH) is a proposed standard from the Mozilla security team for defining how security tools can interact with browsers in a more useful and usable way.

Security researchers commonly use security tools in conjunction with browsers, but until now direct integration has required writing platform and browser specific extensions.

Configuring a browser to work with a security tool can be a non-trivial process, and this can discourage people with less experience from using such tools. This can include application developers and testers, exactly the sort of people we would like to use these tools more!

For example, to configure a browser to use an intercepting proxy that can handle HTTPS traffic, the user must typically:

Configure their browser to proxy via the tool
Configure the tool to proxy via their corporate proxy
Import the tool’s SSL certificate into their browser

If any of these steps are carried out incorrectly then the browser will typically fail to connect to any website – debugging such problems can be frustrating and time-consuming.

Without integration between security tools and browsers, a user must often switch between the tool and their browser several times to perform a simple task, such as intercepting an HTTP(S) request.

PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser.

A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool.

While some of the PnH capabilities do have a fixed meaning, particularly around proxy configuration, most of the capabilities are completely generic, allowing tools to expose whatever functionality they want.

Implementing the above features in Firefox and the tools that we work on and support gives our team an advantage, however we believe that opening up such capabilities to all browsers and all security tools is much more useful for security researchers and application developers and testers.

As a result we have designed and developed the PnH protocol to be both browser and tool independent. The current protocol and Firefox implementation are released under the Mozilla Public License 2.0 which means it can be incorporated in commercial tools without charge.

Plug-n-Hack topics

Phase 1: This provides simplified integration and allows tools to advertize their capabilities to browsers
Phase 2: This will allow browsers to advertize their capabilities to security tools
Tools supporting PnH: The browsers and tools known to support or be working on support for PnH
Get Involved: How to implement PnH in your tool or get involved with PnH development