Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firesheep: Intentions, Responses, and What's Next

9b2d2f2c832191eadc1667bf2c3f224f?s=47 Eric Butler
December 09, 2010
Technology
0
820

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

9b2d2f2c832191eadc1667bf2c3f224f?s=128

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
0
300
9b2d2f2c832191eadc1667bf2c3f224f?s=48 codebutler
9
180k

Other Decks in Technology

See All in Technology
F507086e15832a4344df6b10cdc5b179?s=48 localyouser
0
260
E53046bb9794560f541fcf2cf0b9d526?s=48 sayokomiura
0
100
028088964f255d677d471558da865b72?s=48 satoshin
1
150
77a4428a7b54e23e74ff81849563c458?s=48 sshota0809
1
200
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
6
870
657ac87f75c375156e5f79cdadebed4d?s=48 yasuoyasuo
0
110
03e869e0b971213c12889635e29e0aae?s=48 443n0511
0
120
Eec11c7d221770d15a4b16104f3cf07e?s=48 eagletmt
0
130
8fa31051503b09846584c49cd53d2f80?s=48 asei
3
1k
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2.7k
D069523c85d56ebf004c9695bca578c0?s=48 kenichimunezawa
0
230
6f8838b2708a87ccf1015030f16880ef?s=48 godel
1
120

Featured

See All Featured
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
442
29k
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
176
7.8k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
207
7k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
12
1.9k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
1.6k
F57e2136eb9895eb95ff5dc8a1c02677?s=48 zakiwarfel
88
3.5k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
10
560
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
129
20k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
262
11k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
108
15k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
341
16k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
495
110k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!