Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Firesheep & HTTPS, Explained!


Published on

Simple & thorough explanation of the concept behind Firesheep & HTTPS enhanced with pictures.
-The core problem with HTTP
-What HTTPS offers instead
-The real solution
-Why not everyone embracing that solution
-Example to well known website that embraced HTTPS "Gmail by Google"

Published in: Technology
  • I love these slides! Did you know we’re running a competition on SlideShare to win a 3M PocketProjector MP180? To enter, simply tag your presentation with ‘3MInform’. Head over to our page for more details... and don’t forget to follow us to find out if you get shortlisted!
    Are you sure you want to  Yes  No
    Your message goes here

Firesheep & HTTPS, Explained!

  1. Firesheep & HTTPS<br />Only 90% of internet websites are unsecure!<br />Presenter/ Mahmoud Tantawy<br />
  2. WHOIS?!<br />Mahmoud Tantawy<br />Ain Shams University, Faculty of Engineering<br />Junior Student @ Communication Systems Dept.<br />Currently: DEVIGN Workshop Moderator <br />
  3. What makes the internet<br />
  4. What makes the internet<br />Internet is about global interconnected computer networks<br />It has Servers & Clients<br />Clients request a service/content from the Servers<br />Servers are special computers powerful enough to serve the Clients<br />
  5. Protocols<br />Servers & Clients need some rules to control how they deal with each other, a “Protocol”<br />Protocol in general is; a set of rules governing communications between two parties<br />HTTP: Hyper-Text Transfer Protocol, is the most widely used Protocolover the internet, between Servers & Clients<br />
  6. Protocols<br />
  7. HTTP<br />HTTP<br />HTTP<br />Client<br />Server<br />
  8. HTTP Header<br />Servers & Clientscommunicate using HTTP Requests & Responses<br />Each HTTP Request & Response has a “Header”<br />HTTPHeader carries data similar to what you would write on a letter’s envelope<br />
  9. HTTP Header<br />
  10. HTTP Header<br />HTTP Header also carry sufficient information about you & yourbrowser, so that the Server can do its job<br />Here lies the Problem, these information about you are sent as PlainText<br />If anyone can Sniff these information, he can deceive the Server and makes it think the “he” is “you”!!<br />
  11. HTTP Header<br />
  12. Sniffing<br />If you are using unsecured Wi-Fi, all your data sent between your PC & Router are available to anyone to read!!<br />So if any attacker could Sniff these data, he’ll be able to read the HTTP requests & responses<br />Thus, he can deceive the Server to identify “him” as “you”<br />
  13. Sniffing<br />HTTP<br />Client<br />Server<br />
  14. Sniffing<br />So if the attacker can read the ID that is uniquely given to each Client<br />He can fake an HTTP request & manually put your ID & request pages from the Server<br />The Server will identify “him” as “you” without the need to re-sign in, because the requests carry your unique ID<br />
  15. Firesheep<br />
  16. Firesheep<br />Firesheep is a Mozilla Firefox’s Add-on<br />It enables anyone to Sniff HTTP Headers on unsecured Wi-Fi& makes one able to access websites using others’ identities<br />It was downloaded more than 400,000 times in 5 days<br />Google got 1million searches about it in 10 days<br />
  17. Google Trends For “Firesheep”<br />
  18. Google Trends For “Firesheep”<br />
  19. How to defend oneself<br />Once the add-on was released by “Eric Butler”, many wrote that the solution is avoidingunsecured Wi-Fi<br />But Eric responded by making the reason behind releasing such add-on clear<br />Which is ringingthebell about that issue with HTTP, and letting users know that the websites are NOTprotecting them enough<br />
  20. "Websites have a responsibility to protect the people who depend on their services.<br />They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web.<br />My hope is that Firesheepwill help the users win!" Eric Butler<br />
  21. Live Demo!<br />Firesheep in Action<br />
  22. The Real Solution!<br />The core problem is that HTTP exchanges requests & responses in plain text<br />So, the solution is to encrypt these requests & responses, as simple as that!<br />By using HTTPS, a much more secured version of the famous Protocol<br />Now all exchanged data will be secured from eavesdropping & Sniffers<br />
  23. HTTPS<br />
  24. HTTPS<br />HTTPS<br />Client<br />Server<br />
  25. What’s stopping HTTPS<br />The question in your head now is; Why haven’t the websites protected their users by utilizing HTTPS & making it default?<br />2 main problems:<br />Encryption adds an intermediate step, which adds time & more processing power needed<br />To use HTTPS websites’ owners must purchase certificates to be marked globally as secure<br />
  26. What’s stopping HTTPS<br />These all add costs to services that are provided for free to users<br />So it is more of a trade-off between security & cost<br />It is worth mentioning that Google started using HTTPS with many of its products, specially Gmail<br />
  27. Why not everyone using HTTPS?<br />
  28. Why not everyone using HTTPS?<br />
  29. Thank you, I Hope you enjoyed the session!<br /><br /><br />