Firesheep & HTTPS

•

0 likes•611 views

Simple explanation using pictures of the concept behind Firesheep & HTTPS FOR A MORE EXPLANATORY VERSION: http://slidesha.re/hCMXRt

Technology Design

FIRESHEEP & HTTPS
Only 90% of internet websites are unsecure!
Presenter/ Mahmoud Tantawy

FOR A MORE
EXPLANATORY VERSION
http://www.slideshare.net/mtantawy/
firesheep-https-explained

WHOIS?!
• Mahmoud Tantawy
• Ain Shams University, Faculty of Engineering
• Junior Student @ Communication Systems Dept.
• Currently: DEVIGN Workshop Moderator

"Websites have a responsibility to protect the people who
depend on their services.
They've been ignoring this responsibility for too long, and
it's time for everyone to demand a more secure web.
My hope is that Firesheep will help the users win!"
Eric Butler

THANK YOU,
I HOPE YOU ENJOYED
THE SESSION!
twitter.com/mtantawy
www.mtantawy.com

Similar to Firesheep & HTTPS

When RESTful may be considered harmful

Ross Garrett

Solving HTTP Problems with Code and Protocols

C4Media

WebRTC is going to disrupt the telecom market and leave behind telephony companies that rely on traditional models. Just like the smartphone app revolution, WebRTC is flattening the ecosystem and empowering users to make their own apps--and leaving traditional providers scrambling. But for telephony providers who learn the value of WebRTC and how to deliver it, the future offers new revenue and the opportunity to break away from the competition.

WebRTC: Market Disruption

Julian Adorney

Http_Protocol.pptx

Abshar Fatima

Reasons to choose php for web application development

Mike Taylor

Webinar recording here: https://www.heroku.com/tech-sessions/creating-secure-web-apps Secure internet communication is one of the most important issues facing technology practitioners these days. But for many software development teams, it’s an afterthought. Almost every week there’s a new headline about web security: Google Chrome flagging non-HTTPS sites as insecure, Apple requiring iOS apps’ API communication to use HTTPS, and Google giving search ranking preference to HTTPS. Join Josh Aas, Executive Director of Let's Encrypt, and Chris Castle, Developer Advocate from Heroku, as they take you on a quick tour of what you, as a developer, need to know about HTTPS today plus show you how Let's Encrypt and Heroku are making it easier than ever for all developers to add HTTPS to their web apps.

Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today

Heroku

Honeypots are really useful for collecting security data for research, especially around botnets, scanning hosts, password brute forcers, and other misbehaving systems. They are also the cheapest way collect this data at scale. Deploying many types of honeypots across geo-diverse locations of the Internet improves the aggregate data quality and provides a holistic view. This provides insight into both global trends of attacks and network activity as well as the behaviors of individual malicious systems. For these reasons, we started the Modern Honey Network, which is both an open source (GPLv3) project and a community of hundreds of MHN servers that manage and aggregate data from thousands of heterogeneous honeypots (Dionaea, Kippo, Amun, Conpot, Wordpot, Shockpot, and Glastopf) and network sensors (Snort, Suricata, p0f) deployed by different individuals and organizations as a distributed sensor network. The project has turned into the largest crowdsourced honeynet in the world consisting of thousands of diverse sensors deployed across 35 countries and 5 continents worldwide. Sensors are operated by all sorts of people from hobbyists, to academic researchers, to Fortune 1000 companies. In this talk we will discuss our experience in starting this project, analyzing the data, and building a crowdsourced global sensor network for tracking security threats and gathering interesting data for research. We've found that lots of people like honeypots, especially if you give them a cool realtime visualization of their data and make it easy to setup; lots of organizations will share their data with you if it is part of a community; and lots of companies will deploy honeypots as additional network sensors, especially if you make it easy to deploy/manage/integrate with their existing security tools.

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...

Jason Trost

Intro

tsans

Web Push notifications

Louis Lagrange

The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking. (Source: Black Hat USA 2016, Las Vegas)

HTTP cookie hijacking in the wild: security and privacy implications

Priyanka Aash

BrightonSEO Sep 2015 - HTTPS | Mark Thomas

Anna Morrison

Four years of breaking HTTPS with BGP hijacking

APNIC

This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan. technology.inmobi.com/events/null-owasp-g4h-december-meetup Abstract: This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools. To practice along please install curl (http://curl.haxx.se/download.html).

HTTP Basics Demo

InMobi Technology

HTTP.pptx...............................

Halabja university - Kurdistan -Iraq

Web application protocol (WAP)

OmarJilanijidan2

HTTP & HTTPs

Ahmed Saihood

Maximizing SPDY and SSL Performance (June 2014)

Zoompf

USG Rock Eagle 2017 - PWP at 1000 Days

Eric Sembrat

Tips tricks deliver_high_performing_secure_web_pages

Aditya Singh

Webinar - How and Why Your Library Should Move to HTTPS 2018-07-17

TechSoup

Similar to Firesheep & HTTPS (20)

When RESTful may be considered harmful

Solving HTTP Problems with Code and Protocols

WebRTC: Market Disruption

Http_Protocol.pptx

Reasons to choose php for web application development

Creating Secure Web Apps: What Every Developer Needs to Know About HTTPS Today

Lessons Learned from Building and Running MHN, the World's Largest Crowdsourc...

Intro

Web Push notifications

HTTP cookie hijacking in the wild: security and privacy implications

BrightonSEO Sep 2015 - HTTPS | Mark Thomas

Four years of breaking HTTPS with BGP hijacking

HTTP Basics Demo

HTTP.pptx...............................

Web application protocol (WAP)

HTTP & HTTPs

Maximizing SPDY and SSL Performance (June 2014)

USG Rock Eagle 2017 - PWP at 1000 Days

Tips tricks deliver_high_performing_secure_web_pages

Webinar - How and Why Your Library Should Move to HTTPS 2018-07-17

Recently uploaded

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

ICT role in 21st century education and its challenges

rafiqahmad00786416

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Manulife - Insurer Transformation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Recently uploaded (20)

Why Teams call analytics are critical to your entire business

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Strategies for Landing an Oracle DBA Job as a Fresher

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

AXA XL - Insurer Innovation Award Americas 2024

Cyberprint. Dark Pink Apt Group [EN].pdf

[BuildWithAI] Introduction to Gemini.pdf

ICT role in 21st century education and its challenges

MINDCTI Revenue Release Quarter One 2024

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Manulife - Insurer Transformation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Exploring the Future Potential of AI-Enabled Smartphone Processors

CNIC Information System with Pakdata Cf In Pakistan

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

FWD Group - Insurer Innovation Award 2024

Firesheep & HTTPS

1. FIRESHEEP & HTTPS Only 90% of internet websites are unsecure! Presenter/ Mahmoud Tantawy

2. FOR A MORE EXPLANATORY VERSION http://www.slideshare.net/mtantawy/ firesheep-https-explained

3. WHOIS?! • Mahmoud Tantawy • Ain Shams University, Faculty of Engineering • Junior Student @ Communication Systems Dept. • Currently: DEVIGN Workshop Moderator

4. What makes the internet

5. Protocols

6. HTTP HTTP HTTP Client Server

7. HTTP Header

8. HTTP Header

9. Sniffing Client Server HTTP

10. Firesheep

11. Google Trends For “Firesheep”

12. Google Trends For “Firesheep”

13. "Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win!" Eric Butler

14. HTTPS

15. HTTPS Client Server HTTPS

16. Why not everyone using HTTPS?

17. Why not everyone using HTTPS?

18. THANK YOU, I HOPE YOU ENJOYED THE SESSION! twitter.com/mtantawy www.mtantawy.com

Firesheep & HTTPS

Recommended

Recommended

More Related Content

Similar to Firesheep & HTTPS

Similar to Firesheep & HTTPS (20)

Recently uploaded

Recently uploaded (20)

Firesheep & HTTPS