Firesheep: Intentions, Responses, and What's Next

Transcript

1. Firesheep: Intentions, Responses,
   and What's Next
   Eric Butler
   Ian Gallagher
   December 2010 iSEC Open Security Forum
   

   View Slide

2. What is Firesheep?
   

   View Slide

3. View Slide

4. HTTP Session Hijacking Tool
   

   View Slide

5. (put video here)
   

   View Slide

6. Why write Firesheep?
   

   View Slide

7. Problem known and ignored by
   companies for years
   

   View Slide

8. HTTPS (ok, SSL) invented in
   1994 for this reason.
   

   View Slide

9. Firesheep: Released in October at
   ToorCon San Diego
   

   View Slide

10. Posted to HackerNews, picked up
    by TechCrunch
    

    View Slide

11. View Slide

12. (hours later)
    

    View Slide

13. View Slide

14. View Slide

15. "Firesheep Highlights Web Privacy Problem"
    - Wall Street Journal "Digits" Blog
    "The Message of Firesheep: "Baaaad Websites,
    Implement Sitewide HTTPS Now!""
    - EFF Deeplinks BLog
    "Firesheep Exposes Need For Encryption"
    - InformationWeek
    

    View Slide

16. For a moment, hundreds of
    thousands of people were
    thinking about security!
    

    View Slide

17. but... there's been plenty of
    misinformation too.
    

    View Slide

18. "Using Wi-Fi? Firesheep may endanger your security"
    - CNN.com
    "Firesheep: Why You May Never Want to Use
    an Open Wi-Fi Network Again"
    - forbes.com
    

    View Slide

19. Insecure WiFi:
    Not the problem
    

    View Slide

20. Not only facebook!
    

    View Slide

21. View Slide

22. View Slide

23. "New Firefox Add-On Detects Firesheep,
    Protects You on Open Networks"
    - Mashable
    

    View Slide

24. "New Firefox Add-On Detects Firesheep,
    Protects You on Open Networks"
    - Mashable
    

    View Slide

25. Anti-virus starts targeting
    Firesheep
    

    View Slide

26. Fallout
    

    View Slide

27. amazon • bitly • enom • flickr • gowalla
    live • toorcon • cisco • evernote
    foursquare • hackernews • nytimes
    tumblr • yahoo • basecamp • cnet
    facebook • google • harvest • pivotal
    twitter • yelp • dropbox • github
    slicehost
    

    View Slide

28. amazon • bitly • enom • flickr • gowalla
    live • toorcon • cisco • evernote
    foursquare • hackernews • nytimes
    tumblr • yahoo • basecamp • cnet
    facebook • google • harvest • pivotal
    twitter • yelp • dropbox • github
    slicehost
    

    View Slide

29. Access campaign
    

    View Slide

30. How to correctly fix problem?
    

    View Slide

31. View Slide

32. Best:
    Site-wide HTTPS
    Secure cookies
    HSTS (Strict-Transport-Security)
    No mixed-content
    SSL Session resumption
    Design with security from the start
    EFF and OWASP have great guides on
    how to properly deploy HTTPS
    

    View Slide

33. Good:
    HTTPS for sensitive pages
    Secure cookies required for those pages
    No mixed content on secure pages
    ..still susceptible to determined active
    attackers (MiTM, SSLStrip)
    

    View Slide

34. 919,997 downloads to date
    

    View Slide

35. What's next?
    

    View Slide

36. Linux support, 802.11 monitor
    mode
    

    View Slide

37. Still a huge problem...
    

    View Slide

38. Keep demanding SSL!
    

    View Slide