Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firesheep: Intentions, Responses, and What's Next

Avatar for Eric Butler Eric Butler
December 09, 2010
Technology
0
1.1k

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010
Avatar for Eric Butler

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
Fun with Native Code
Avatar for Eric Butler codebutler
0
490
The Secret Life of SIM Cards
Avatar for Eric Butler codebutler
9
190k

Other Decks in Technology

See All in Technology
AIの全社活用を推進するための安全なレールを敷いた話
Avatar for ShoheiMitani shoheimitani
2
510
CDKTFについてざっくり理解する!!~CloudFormationからCDKTFへ変換するツールも作ってみた~
Avatar for モブエンジニア masakiokuda
1
130
Connect 100+を支える技術
Avatar for Yamakan kanyamaguc
0
200
高速なプロダクト開発を実現、創業期から掲げるエンタープライズアーキテクチャ
Avatar for かわうそ kawauso
2
9.1k
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
3
960
Backlog ユーザー棚卸しRTA、多分これが一番早いと思います
Avatar for あれ __allllllllez__
1
150
KubeCon + CloudNativeCon Japan 2025 Recap by CA
Avatar for YuyaKoda ponkio_o
PRO
0
300
20250705 Headlamp: 專注可擴展性的 Kubernetes 用戶界面
Avatar for Phil Huang pichuang
0
270
スタートアップに選択肢を 〜生成AIを活用したセカンダリー事業への挑戦〜
Avatar for Nstock nstock
0
140
開発生産性を組織全体の「生産性」へ! 部門間連携の壁を越える実践的ステップ
Avatar for ussy / @sudo5in5k sudo5in5k
2
6.9k
MobileActOsaka_250704.pdf
Avatar for AKAI Tadaaki akaitadaaki
0
120
React開発にStorybookとCopilotを導入して、爆速でUIを編集・確認する方法
Avatar for yut yu_kod
1
270

Featured

See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
740
The Language of Interfaces
Avatar for Des Traynor destraynor
158
25k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
140
7k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
301
51k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
63
7.8k
Visualization
Avatar for Eitan Lees eitanlees
146
16k
Done Done
Avatar for chrislema chrislema
184
16k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.4k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!