Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Firesheep: Intentions, Responses, and What's Next
Search
Eric Butler
December 09, 2010
Technology
1.1k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Firesheep: Intentions, Responses, and What's Next
Presented at the Seattle iSEC Open Security Forum, December 2010
Eric Butler
December 09, 2010
More Decks by Eric Butler
See All by Eric Butler
Fun with Native Code
codebutler
0
530
The Secret Life of SIM Cards
codebutler
9
190k
Other Decks in Technology
See All in Technology
Microsoft のサポートとフィードバック総まとめ
murachiakira
PRO
0
110
現場のトークンマネジメント
dak2
1
190
MUSUBI 田中裕一『AIと共に行う「しごとのリデザイン」- スモールバックオフィス編』AI Ops Lab #4
musubi
0
320
自分が詳しくない領域でAIを使う #プロヒス2026
konifar
20
7.5k
Zenoh on Zephyr on LiteX
takasehideki
2
110
Oracle Cloud Infrastructure:2026年6月度サービス・アップデート
oracle4engineer
PRO
0
330
LayerX コーポレートエンジニアリング室におけるサプライチェーンセキュリティへの取り組み / Supply Chain Security at LayerX Corporate Engineering
yuyatakeyama
3
840
BPaaSで進むAIオペレーションの現在地 AI実装が効く領域とスケーラビリティの選定と実装
kentarofujii
0
200
スタートアップにAmazon EKSは早すぎる? マルチプロダクト戦略を加速する Platform Engineeringの実践 / Is Amazon EKS Too Soon for Startups? Practical Platform Engineering to Accelerate a Multi-Product Strategy
elmodev09
1
1.8k
週末にループ・エンジニアリングの理解を深めるためのスライド
nagatsu
0
330
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
findy_eventslides
2
210
不要なレビューをAIにまかせて AIコーディングの環境改善を加速した
shoota
1
270
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Writing Fast Ruby
sferik
630
63k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
1
250
SEO in 2025: How to Prepare for the Future of Search
ipullrank
3
3.5k
The Curse of the Amulet
leimatthew05
2
13k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.5k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2.1k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
21
1.5k
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
160
Believing is Seeing
oripsolob
1
150
Thoughts on Productivity
jonyablonski
76
5.2k
A Modern Web Designer's Workflow
chriscoyier
698
190k
Transcript
Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher
December 2010 iSEC Open Security Forum
What is Firesheep?
None
HTTP Session Hijacking Tool
(put video here)
Why write Firesheep?
Problem known and ignored by companies for years
HTTPS (ok, SSL) invented in 1994 for this reason.
Firesheep: Released in October at ToorCon San Diego
Posted to HackerNews, picked up by TechCrunch
None
(hours later)
None
None
"Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"
Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek
For a moment, hundreds of thousands of people were thinking
about security!
but... there's been plenty of misinformation too.
"Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:
Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com
Insecure WiFi: Not the problem
Not only facebook!
None
None
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
"New Firefox Add-On Detects Firesheep, Protects You on Open Networks"
- Mashable
Anti-virus starts targeting Firesheep
Fallout
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
amazon • bitly • enom • flickr • gowalla live
• toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost
Access campaign
How to correctly fix problem?
None
Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL
Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS
Good: HTTPS for sensitive pages Secure cookies required for those
pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)
919,997 downloads to date
What's next?
Linux support, 802.11 monitor mode
Still a huge problem...
Keep demanding SSL!