Protecting Against Firesheep with Strict Transport Security

Monday, December 27, 2010

Bozidar Spirovski

E973b16363b3de77b360563237df7e32

Article by Michael Coates

Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)

Step 2: Install an add-on that lets you add specific STS settings - STS-UI

Step 3: Configure STS-UI for the sites you're concerned about

Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI

Go to tools->Manager Strict Transport Security

image

Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "Facebook.com" and select "Force subdomains too"

image


After adding Facebook.com and twitter.com it should look like this:


image

Done. Now you will always be using HTTPS for data exchanged between twitter or Facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added. This really isn't a scalable approach since xyz.com could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot.

A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hot-spot).

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide. The original text is published on ...Application Security...

Cross-posted from Short Infosec

Possibly Related Articles:
8700
Vulnerabilities
SSH VPN firesheep Transport Security STS-UI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.