Firesheep: Intentions, Responses, and What's Next

9b2d2f2c832191eadc1667bf2c3f224f?s=47 Eric Butler
December 09, 2010
Technology
0
800

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

9b2d2f2c832191eadc1667bf2c3f224f?s=128

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
0
290
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
9
180k

Other Decks in Technology

See All in Technology
9625fe974bd2b3df38c1f86054fbe04b?s=48 vlayusuke
0
120
B3f560d34c14a9113e5024bc34ac26a0?s=48 heyitsmohit
1
150
40661cda330920ea2a854566ae19bbe9?s=48 wyamazak_uhuru
0
340
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
160
7cd783377515bdf8207062840b7b2f4e?s=48 soracom
1
750
0102ef8594b9d3a74f45dfd5daa5ede4?s=48 yskmjp
0
250
Cb88f765dd38cd942c39aacb5abbea06?s=48 ufoo68
0
250
6fe6b19f7204487ab25ceb3b3a70204e?s=48 takegue
0
410
D4b3dfc68675b3564c58e75cef7c9689?s=48 ryoichi_obara
0
530
098ad475722e3697ec2fba28c8654f9f?s=48 yuhta28
0
470
457ada693e168bd1102fec3914040b5d?s=48 uipath_friends
0
120
9321a57bcb62d9d6fca07b5c5ca6f6d0?s=48 ohbashunsuke
1
460

Featured

See All Featured
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
118
15k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
499
36k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
69
1.3k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
15
520
2f5463832ccb768ccb4a1ca3607c27ef?s=48 jacobian
254
19k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
24
1.7k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
193
15k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
775
240k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
266
16k
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
12
1.3k
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
69
3.5k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
165
18k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!