Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firesheep: Intentions, Responses, and What's Next

Eric Butler
December 09, 2010
Technology
0
910

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
Fun with Native Code
codebutler
0
420
The Secret Life of SIM Cards
codebutler
9
190k

Other Decks in Technology

See All in Technology
2024-04-06 AMeDAS to Lagoon SORACOM UG 2024-04-06
anysonica
0
120
転移学習とドメイン適応の基礎
kmatsui
2
570
PHPカンファレンス小田原2024
ysknsid25
2
660
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
320
反実仮想機械学習とは何か
usaito
PRO
6
1.7k
コンパウンドスタートアップのためのスケーラブルでセキュアなInfrastructure as Codeパイプラインを考える / Scalable and Secure Infrastructure as Code Pipeline for a Compound Startup
yuyatakeyama
3
1.9k
Algyan イベント振り返り
linyixian
0
180
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
0
170
ユーザーストーリーのレビューを自動化したみたの
bun913
1
300
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
680
Databricks におけるデータエンジニアリング
databricksjapan
0
370
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
730

Featured

See All Featured
RailsConf 2023
tenderlove
2
530
Writing Fast Ruby
sferik
620
60k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Fireside Chat
paigeccino
20
2.6k
10 Git Anti Patterns You Should be Aware of
lemiorhan
646
57k
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Typedesign – Prime Four
hannesfritz
36
2k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!