$30 off During Our Annual Pro Sale. View Details »

Firesheep: Intentions, Responses, and What's Next

Eric Butler
December 09, 2010

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

Other Decks in Technology

Transcript

  1. Firesheep: Intentions, Responses,
    and What's Next
    Eric Butler
    Ian Gallagher
    December 2010 iSEC Open Security Forum

    View Slide

  2. What is Firesheep?

    View Slide

  3. View Slide

  4. HTTP Session Hijacking Tool

    View Slide

  5. (put video here)

    View Slide

  6. Why write Firesheep?

    View Slide

  7. Problem known and ignored by
    companies for years

    View Slide

  8. HTTPS (ok, SSL) invented in
    1994 for this reason.

    View Slide

  9. Firesheep: Released in October at
    ToorCon San Diego

    View Slide

  10. Posted to HackerNews, picked up
    by TechCrunch

    View Slide

  11. View Slide

  12. (hours later)

    View Slide

  13. View Slide

  14. View Slide

  15. "Firesheep Highlights Web Privacy Problem"
    - Wall Street Journal "Digits" Blog
    "The Message of Firesheep: "Baaaad Websites,
    Implement Sitewide HTTPS Now!""
    - EFF Deeplinks BLog
    "Firesheep Exposes Need For Encryption"
    - InformationWeek

    View Slide

  16. For a moment, hundreds of
    thousands of people were
    thinking about security!

    View Slide

  17. but... there's been plenty of
    misinformation too.

    View Slide

  18. "Using Wi-Fi? Firesheep may endanger your security"
    - CNN.com
    "Firesheep: Why You May Never Want to Use
    an Open Wi-Fi Network Again"
    - forbes.com

    View Slide

  19. Insecure WiFi:
    Not the problem

    View Slide

  20. Not only facebook!

    View Slide

  21. View Slide

  22. View Slide

  23. "New Firefox Add-On Detects Firesheep,
    Protects You on Open Networks"
    - Mashable

    View Slide

  24. "New Firefox Add-On Detects Firesheep,
    Protects You on Open Networks"
    - Mashable

    View Slide

  25. Anti-virus starts targeting
    Firesheep

    View Slide

  26. Fallout

    View Slide

  27. amazon • bitly • enom • flickr • gowalla
    live • toorcon • cisco • evernote
    foursquare • hackernews • nytimes
    tumblr • yahoo • basecamp • cnet
    facebook • google • harvest • pivotal
    twitter • yelp • dropbox • github
    slicehost

    View Slide

  28. amazon • bitly • enom • flickr • gowalla
    live • toorcon • cisco • evernote
    foursquare • hackernews • nytimes
    tumblr • yahoo • basecamp • cnet
    facebook • google • harvest • pivotal
    twitter • yelp • dropbox • github
    slicehost

    View Slide

  29. Access campaign

    View Slide

  30. How to correctly fix problem?

    View Slide

  31. View Slide

  32. Best:
    Site-wide HTTPS
    Secure cookies
    HSTS (Strict-Transport-Security)
    No mixed-content
    SSL Session resumption
    Design with security from the start
    EFF and OWASP have great guides on
    how to properly deploy HTTPS

    View Slide

  33. Good:
    HTTPS for sensitive pages
    Secure cookies required for those pages
    No mixed content on secure pages
    ..still susceptible to determined active
    attackers (MiTM, SSLStrip)

    View Slide

  34. 919,997 downloads to date

    View Slide

  35. What's next?

    View Slide

  36. Linux support, 802.11 monitor
    mode

    View Slide

  37. Still a huge problem...

    View Slide

  38. Keep demanding SSL!

    View Slide