Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Firesheep: Intentions, Responses, and What's Next
Search
Eric Butler
December 09, 2010
Technology
0
1.1k
Firesheep: Intentions, Responses, and What's Next
Presented at the Seattle iSEC Open Security Forum, December 2010
Eric Butler
December 09, 2010
Tweet
Share
More Decks by Eric Butler
See All by Eric Butler
Fun with Native Code
codebutler
0
490
The Secret Life of SIM Cards
codebutler
9
190k
Other Decks in Technology
See All in Technology
製造業の課題解決に向けた機械学習の活用と、製造業特化LLM開発への挑戦
knt44kw
0
160
【CEDEC2025】『Shadowverse: Worlds Beyond』二度目のDCG開発でゲームをリデザインする~遊びやすさと競技性の両立~
cygames
PRO
1
310
いかにして命令の入れ替わりについて心配するのをやめ、メモリモデルを愛するようになったか(改)
nullpo_head
6
2.4k
データモデリング通り #2オンライン勉強会 ~方法論の話をしよう~
datayokocho
0
140
KubeCon + CloudNativeCon Japan 2025 Recap
donkomura
0
200
OPENLOGI Company Profile for engineer
hr01
1
37k
Vision Language Modelと自動運転AIの最前線_20250730
yuyamaguchi
3
1.2k
AI時代の経営、Bet AI Vision #BetAIDay
layerx
PRO
1
1.9k
Google Agentspaceを実際に導入した効果と今後の展望
mixi_engineers
PRO
3
370
AIエージェントを現場で使う / 2025.08.07 著者陣に聞く!現場で活用するためのAIエージェント実践入門(Findyランチセッション)
smiyawaki0820
6
850
Amazon Bedrock AgentCoreのフロントエンドを探す旅 (Next.js編)
kmiya84377
1
130
【新卒研修資料】数理最適化 / Mathematical Optimization
brainpadpr
25
12k
Featured
See All Featured
Unsuck your backbone
ammeep
671
58k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
A Tale of Four Properties
chriscoyier
160
23k
Statistics for Hackers
jakevdp
799
220k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Producing Creativity
orderedlist
PRO
347
40k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
For a Future-Friendly Web
brad_frost
179
9.9k
Transcript
Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher
December 2010 iSEC Open Security Forum
What is Firesheep?
None
HTTP Session Hijacking Tool
(put video here)
Why write Firesheep?
Problem known and ignored by companies for years
HTTPS (ok, SSL) invented in 1994 for this reason.
Firesheep: Released in October at ToorCon San Diego
Posted to HackerNews, picked up by TechCrunch
None
(hours later)
None
None
"Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"
Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek
For a moment, hundreds of thousands of people were thinking
about security!
but... there's been plenty of misinformation too.
"Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:
Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com
Insecure WiFi: Not the problem
Not only facebook!
None
None
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
Anti-virus starts targeting Firesheep
Fallout
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
Access campaign
How to correctly fix problem?
None
Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL
Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS
Good: HTTPS for sensitive pages Secure cookies required for those
pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)
919,997 downloads to date
What's next?
Linux support, 802.11 monitor mode
Still a huge problem...
Keep demanding SSL!