Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Firesheep: Intentions, Responses, and What's Next

Avatar for Eric Butler Eric Butler
December 09, 2010
Technology
0
1.1k

Firesheep: Intentions, Responses, and What's Next

Presented at the Seattle iSEC Open Security Forum, December 2010

Avatar for Eric Butler

Eric Butler

December 09, 2010
Tweet

More Decks by Eric Butler

See All by Eric Butler
Fun with Native Code
Avatar for Eric Butler codebutler
0
490
The Secret Life of SIM Cards
Avatar for Eric Butler codebutler
9
190k

Other Decks in Technology

See All in Technology
S3アクセス制御の設計ポイント
Avatar for tommy tommy0124
2
190
研究開発と製品開発、両利きのロボティクス
Avatar for Yutaka Kondo youtalk
1
510
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
8.7k
共有と分離 - Compose Multiplatform "本番導入" の設計指針
Avatar for Ryo WATANABE error96num
1
360
ChatGPTとPlantUML/Mermaidによるソフトウェア設計
Avatar for gowhich501 gowhich501
1
130
クラウドセキュリティを支える技術と運用の最前線 / Cutting-edge Technologies and Operations Supporting Cloud Security
Avatar for Yuji Oshima yuj1osm
2
320
これでもう迷わない!Jetpack Composeの書き方実践ガイド
Avatar for ZOZO Developers zozotech
PRO
0
300
おやつは300円まで!の最適化を模索してみた
Avatar for PERSOL CAREER Dev | techtekt techtekt
PRO
0
290
ZOZOマッチのアーキテクチャと技術構成
Avatar for ZOZO Developers zozotech
PRO
3
1.5k
250905 大吉祥寺.pm 2025 前夜祭 「プログラミングに出会って20年、『今』が1番楽しい」
Avatar for Masaya Kudo msykd
PRO
1
680
allow_retry と Arel.sql / allow_retry and Arel.sql
Avatar for Shintani Teppei euglena1215
1
160
実践!カスタムインストラクション&スラッシュコマンド
Avatar for puku0x puku0x
0
340

Featured

See All Featured
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
160
23k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.8k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.1k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
87
4.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
810
Practical Orchestrator
Avatar for Shlomi Noach shlominoach
190
11k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
33
8.8k
The Language of Interfaces
Avatar for Des Traynor destraynor
161
25k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
126
53k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
460k

Transcript

  1. Firesheep: Intentions, Responses, and What's Next Eric Butler Ian Gallagher

    December 2010 iSEC Open Security Forum

  2. What is Firesheep?

  3. None

  4. HTTP Session Hijacking Tool

  5. (put video here)

  6. Why write Firesheep?

  7. Problem known and ignored by companies for years

  8. HTTPS (ok, SSL) invented in 1994 for this reason.

  9. Firesheep: Released in October at ToorCon San Diego

  10. Posted to HackerNews, picked up by TechCrunch

  11. None

  12. (hours later)

  13. None
  14. None

  15. "Firesheep Highlights Web Privacy Problem" - Wall Street Journal "Digits"

    Blog "The Message of Firesheep: "Baaaad Websites, Implement Sitewide HTTPS Now!"" - EFF Deeplinks BLog "Firesheep Exposes Need For Encryption" - InformationWeek

  16. For a moment, hundreds of thousands of people were thinking

    about security!

  17. but... there's been plenty of misinformation too.

  18. "Using Wi-Fi? Firesheep may endanger your security" - CNN.com "Firesheep:

    Why You May Never Want to Use an Open Wi-Fi Network Again" - forbes.com

  19. Insecure WiFi: Not the problem

  20. Not only facebook!

  21. None
  22. None

  23. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  24. "New Firefox Add-On Detects Firesheep, Protects You on Open Networks"

    - Mashable

  25. Anti-virus starts targeting Firesheep

  26. Fallout

  27. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  28. amazon • bitly • enom • flickr • gowalla live

    • toorcon • cisco • evernote foursquare • hackernews • nytimes tumblr • yahoo • basecamp • cnet facebook • google • harvest • pivotal twitter • yelp • dropbox • github slicehost

  29. Access campaign

  30. How to correctly fix problem?

  31. None

  32. Best: Site-wide HTTPS Secure cookies HSTS (Strict-Transport-Security) No mixed-content SSL

    Session resumption Design with security from the start EFF and OWASP have great guides on how to properly deploy HTTPS

  33. Good: HTTPS for sensitive pages Secure cookies required for those

    pages No mixed content on secure pages ..still susceptible to determined active attackers (MiTM, SSLStrip)

  34. 919,997 downloads to date

  35. What's next?

  36. Linux support, 802.11 monitor mode

  37. Still a huge problem...

  38. Keep demanding SSL!