Simple & thorough explanation of the concept behind Firesheep & HTTPS enhanced with pictures. Discussing: -The core problem with HTTP -What HTTPS offers instead -The real solution -Why not everyone embracing that solution -Example to well known website that embraced HTTPS "Gmail by Google"

1. Firesheep & HTTPS Only 90% of internet websites are unsecure! Presenter/ Mahmoud Tantawy

2. WHOIS?! Mahmoud Tantawy Ain Shams University, Faculty of Engineering Junior Student @ Communication Systems Dept. Currently: DEVIGN Workshop Moderator

3. What makes the internet

4. What makes the internet Internet is about global interconnected computer networks It has Servers & Clients Clients request a service/content from the Servers Servers are special computers powerful enough to serve the Clients

5. Protocols Servers & Clients need some rules to control how they deal with each other, a “Protocol” Protocol in general is; a set of rules governing communications between two parties HTTP: Hyper-Text Transfer Protocol, is the most widely used Protocolover the internet, between Servers & Clients

7. Protocols

8. HTTP HTTP HTTP Client Server

9. HTTP Header Servers & Clientscommunicate using HTTP Requests & Responses Each HTTP Request & Response has a “Header” HTTPHeader carries data similar to what you would write on a letter’s envelope

10. HTTP Header

11. HTTP Header HTTP Header also carry sufficient information about you & yourbrowser, so that the Server can do its job Here lies the Problem, these information about you are sent as PlainText If anyone can Sniff these information, he can deceive the Server and makes it think the “he” is “you”!!

12. HTTP Header

13. Sniffing If you are using unsecured Wi-Fi, all your data sent between your PC & Router are available to anyone to read!! So if any attacker could Sniff these data, he’ll be able to read the HTTP requests & responses Thus, he can deceive the Server to identify “him” as “you”

14. Sniffing HTTP Client Server

15. Sniffing So if the attacker can read the ID that is uniquely given to each Client He can fake an HTTP request & manually put your ID & request pages from the Server The Server will identify “him” as “you” without the need to re-sign in, because the requests carry your unique ID

16. Firesheep

17. Firesheep Firesheep is a Mozilla Firefox’s Add-on It enables anyone to Sniff HTTP Headers on unsecured Wi-Fi& makes one able to access websites using others’ identities It was downloaded more than 400,000 times in 5 days Google got 1million searches about it in 10 days

18. Google Trends For “Firesheep”

19. Google Trends For “Firesheep”

20. How to defend oneself Once the add-on was released by “Eric Butler”, many wrote that the solution is avoidingunsecured Wi-Fi But Eric responded by making the reason behind releasing such add-on clear Which is ringingthebell about that issue with HTTP, and letting users know that the websites are NOTprotecting them enough

21. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheepwill help the users win!" Eric Butler

22. Live Demo! Firesheep in Action

23. The Real Solution! The core problem is that HTTP exchanges requests & responses in plain text So, the solution is to encrypt these requests & responses, as simple as that! By using HTTPS, a much more secured version of the famous Protocol Now all exchanged data will be secured from eavesdropping & Sniffers

24. HTTPS

25. HTTPS HTTPS Client Server

26. What’s stopping HTTPS The question in your head now is; Why haven’t the websites protected their users by utilizing HTTPS & making it default? 2 main problems: Encryption adds an intermediate step, which adds time & more processing power needed To use HTTPS websites’ owners must purchase certificates to be marked globally as secure

27. What’s stopping HTTPS These all add costs to services that are provided for free to users So it is more of a trade-off between security & cost It is worth mentioning that Google started using HTTPS with many of its products, specially Gmail

28. Why not everyone using HTTPS?

29. Why not everyone using HTTPS?

31. Thank you, I Hope you enjoyed the session! twitter.com/mtantawy www.mtantawy.com