Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Firesheep: Intentions, Responses, and What's Next
Search
Eric Butler
December 09, 2010
Technology
0
1k
Firesheep: Intentions, Responses, and What's Next
Presented at the Seattle iSEC Open Security Forum, December 2010
Eric Butler
December 09, 2010
Tweet
Share
More Decks by Eric Butler
See All by Eric Butler
Fun with Native Code
codebutler
0
480
The Secret Life of SIM Cards
codebutler
9
190k
Other Decks in Technology
See All in Technology
登壇ネタの見つけ方 / How to find talk topics
pinkumohikan
3
320
プロダクトエンジニアリング組織への歩み、その現在地 / Our journey to becoming a product engineering organization
hiro_torii
0
110
Prox Industries株式会社 会社紹介資料
proxindustries
0
210
Amazon ECS & AWS Fargate 運用アーキテクチャ2025 / Amazon ECS and AWS Fargate Ops Architecture 2025
iselegant
16
4.7k
新卒3年目の後悔〜機械学習モデルジョブの運用を頑張った話〜
kameitomohiro
0
390
Definition of Done
kawaguti
PRO
6
460
CSS、JSをHTMLテンプレートにまとめるフロントエンド戦略
d120145
0
230
低レイヤを知りたいPHPerのためのCコンパイラ作成入門 完全版 / Building a C Compiler for PHPers Who Want to Dive into Low-Level Programming - Expanded
tomzoh
1
100
キャディでのApache Iceberg, Trino採用事例 -Apache Iceberg and Trino Usecase in CADDi--
caddi_eng
0
170
データプラットフォーム技術におけるメダリオンアーキテクチャという考え方/DataPlatformWithMedallionArchitecture
smdmts
5
570
Oracle Audit Vault and Database Firewall 20 概要
oracle4engineer
PRO
3
1.6k
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
2
160
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.5k
Music & Morning Musume
bryan
46
6.6k
Speed Design
sergeychernyshev
31
1k
Statistics for Hackers
jakevdp
799
220k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
124
52k
How to train your dragon (web standard)
notwaldorf
92
6.1k
A better future with KSS
kneath
239
17k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
490
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Transcript
Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher
December 2010 iSEC Open Security Forum
What is Firesheep?
None
HTTP Session Hijacking Tool
(put video here)
Why write Firesheep?
Problem known and ignored by companies for years
HTTPS (ok, SSL) invented in 1994 for this reason.
Firesheep: Released in October at ToorCon San Diego
Posted to HackerNews, picked up by TechCrunch
None
(hours later)
None
None
"Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"
Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek
For a moment, hundreds of thousands of people were thinking
about security!
but... there's been plenty of misinformation too.
"Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:
Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com
Insecure WiFi: Not the problem
Not only facebook!
None
None
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
Anti-virus starts targeting Firesheep
Fallout
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
Access campaign
How to correctly fix problem?
None
Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL
Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS
Good: HTTPS for sensitive pages Secure cookies required for those
pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)
919,997 downloads to date
What's next?
Linux support, 802.11 monitor mode
Still a huge problem...
Keep demanding SSL!