More Security for Firesheep from Mozilla | HSTS

Firesheep was a buzz word few months ago then came the blacksheep to counter protect users from it.
The firesheep tutorial I demonstrated in a post shows how an attacker can gain access to any account(Twitter,Facebook,Gmail etc) with out even knowing the password using Sidejacking.
 Now with the increase of threats from the tools like Firesheep Mozilla has come with a concept of "HTTP Strict-Transport-Security", that will be employed in the version 4 of it and is available in the beta versions available.

What is "HTTP Strict-Transport-Security" ?

Actually when we access any login page it is done by default with http so our initial connection is unencrypted so an attacker can plant a MITM(Man in the Middle Attack) to recieve the connection from the user and the user feels that he/she is connected to the real server.Here comes the role of "HTTP Strict-Transport-Security" in protecting the user's session.What it does is that it guides the user's session to be strictly over Https there by encrypting the user's session from the initial point and also protect the sniffing of cookies.

How to use this feature?

1.A site need to ebable the "Strict-Transport-Security HTTP header",in order to allow the user to access a https login page and the firefox 4 will take care rest of the thing.

2.If you are using Firefox 3.6 you can use an addon called "ForceTLS" to use this functionality.

3.This is built in with Firefox 4 and in the beta but you can also use additonal controls by using "STS-UI" addon.

With this feature added to Firefox 4 the online activities of users from public
Wifi hotspots can be secured to some extent... :)
Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 19 comments:

Annie on February 9, 2011 at 8:47 AM said...

Was an enlightening post.

Mike on February 26, 2011 at 7:03 PM said...

Setting the header can be done with PHP for instance with the header command such as: header('Strict-Transport-Security: max-age=500');

I didn't know that, so I went and looked it up.

bill on April 15, 2011 at 4:55 PM said...

Good post thanks for sharing information i really like it and hope will some good stuff soon

rockMaria on April 29, 2011 at 3:37 PM said...

great post - thank you so much for sharing this very useful information

Dana on May 29, 2011 at 1:00 PM said...

The https method is very safe and help you protect yourself.

Allex Sodi on May 30, 2011 at 12:12 PM said...

My account was hacked.I would love to use this and hope it will provide security for my profile.Thank You for the Post.

Said Karagüllü on July 16, 2011 at 6:03 PM said...

Nice post admin thx. i will follow your this blog

Dan man on July 20, 2011 at 12:13 AM said...

great post with a lot of useful info. thank you so much for the help

Anonymous said...

Web Guy
Interesting tool!

Kevin Koskello on July 28, 2011 at 9:09 PM said...

This looks like a really great option. I am tired of worrying about my internet security. This sounds really automated, which is great.

Lalique on August 3, 2011 at 3:41 PM said...

I have recently updated to FF5 and I don't think it works with it. Do you have any way of doing this on FF5.

Unknown on August 12, 2011 at 9:19 AM said...

Very good blog, I also like monster beats, his tone is really quite good, noise reduction powerful, production quality also is very good, I bought 2, a home listening to, a shopping listen. My friends are in use!

Tina @ wedding favors on August 16, 2011 at 12:11 PM said...

I am still waiting for the newer post. I hope it will be soon.

Mark Jacobs on August 24, 2011 at 6:40 PM said...

Like the Https method, great post

Rajesh on September 15, 2011 at 6:07 PM said...

Great info thanks...!

James on September 17, 2011 at 4:27 PM said...

Thank you for sharing this info! It helped me.

Matt Greene on September 21, 2011 at 2:39 PM said...

The trouble is with this is that the websites themselves have to enable the Strict Transport Security header and, well, not many of them either do or will.

Aimey Alastair on October 20, 2011 at 9:45 PM said...

Thank you for the information. It really helps. it is also us full for me . and thank`s again for shearing this....

vishal saxena on December 19, 2012 at 5:57 PM said...

Thanks..............but what are the way of HTTPS security access...on the web....

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

 
© 2013 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates