Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firesheep: Intentions, Responses, and What's Next

9b2d2f2c832191eadc1667bf2c3f224f?s=47 Eric Butler
December 09, 2010
Technology
0
810

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

9b2d2f2c832191eadc1667bf2c3f224f?s=128

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
0
290
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
9
180k

Other Decks in Technology

See All in Technology
B1dca90d4b3ffd2ccd918774e1ba170d?s=48 hmatsu47
1
160
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2.4k
563d2e1e4cabf5ca21404f7104c90e91?s=48 prog893
14
3.6k
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
320
837b357dc46c47fc99560e03b8841a27?s=48 dsalo
0
140
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
130
7f68f5f85f4a39df7d8d3c81cbbfb788?s=48 p1ass
15
5.5k
4ab9c4c8dec50dc08b89981e23e111f2?s=48 katsumataryo
3
810
7fb9a8ddaea2ddc368f12a5d08cea86a?s=48 yuu26
1
1k
B1dca90d4b3ffd2ccd918774e1ba170d?s=48 hmatsu47
2
120
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
1
440
03d565e037c55da5d503eb5a21dba86b?s=48 honai
9
5.7k

Featured

See All Featured
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
28
970
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
109
11k
C1daf20e5c49ff910745198ef9869ac2?s=48 hatefulcrawdad
257
17k
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
289
110k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
32
3.5k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
242
21k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
217
16k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
167
7.3k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
258
36k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
245cee81a9c424266e5e401d844ea881?s=48 lara
590
61k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!