More Security for Firesheep from Mozilla | HSTS

Firesheep was a buzz word few months ago then came the blacksheep to counter protect users from it.
The firesheep tutorial I demonstrated in a post shows how an attacker can gain access to any account(Twitter,Facebook,Gmail etc) with out even knowing the password using Sidejacking.

Security for Firesheep

Now with the increase of threats from the tools like Firesheep Mozilla has come with a concept of "HTTP Strict-Transport-Security", that will be employed in the version 4 of it and is available in the beta versions available.

What is "HTTP Strict-Transport-Security" ?

Actually when we access any login page it is done by default with http so our initial connection is unencrypted so an attacker can plant a MITM(Man in the Middle Attack) to recieve the connection from the user and the user feels that he/she is connected to the real server.Here comes the role of "HTTP Strict-Transport-Security" in protecting the user's session.What it does is that it guides the user's session to be strictly over Https there by encrypting the user's session from the initial point and also protect the sniffing of cookies.

How to use this feature?

1.A site need to ebable the "Strict-Transport-Security HTTP header",in order to allow the user to access a https login page and the firefox 4 will take care rest of the thing.

2.If you are using Firefox 3.6 you can use an addon called "ForceTLS" to use this functionality.

3.This is built in with Firefox 4 and in the beta but you can also use additonal controls by using "STS-UI" addon.

With this feature added to Firefox 4 the online activities of users from public
Wifi hotspots can be secured to some extent... :)
More Security for Firesheep from Mozilla | HSTS More Security for Firesheep from Mozilla | HSTS Reviewed by Satyajit (Admins,a.k.a Satosys) on Wednesday, February 02, 2011 Rating: 5

18 comments:

Annie said...

Was an enlightening post.

Mike said...

Setting the header can be done with PHP for instance with the header command such as: header('Strict-Transport-Security: max-age=500');

I didn't know that, so I went and looked it up.

bill said...

Good post thanks for sharing information i really like it and hope will some good stuff soon

rockMaria said...

great post - thank you so much for sharing this very useful information

Dana said...

The https method is very safe and help you protect yourself.

Allex Sodi said...

My account was hacked.I would love to use this and hope it will provide security for my profile.Thank You for the Post.

Said Karagüllü said...

Nice post admin thx. i will follow your this blog

Dan man said...

great post with a lot of useful info. thank you so much for the help

Anonymous said...

Web Guy
Interesting tool!

Kevin Koskello said...

This looks like a really great option. I am tired of worrying about my internet security. This sounds really automated, which is great.

Lalique said...

I have recently updated to FF5 and I don't think it works with it. Do you have any way of doing this on FF5.

Unknown said...

Very good blog, I also like monster beats, his tone is really quite good, noise reduction powerful, production quality also is very good, I bought 2, a home listening to, a shopping listen. My friends are in use!

Mark Jacobs said...

Like the Https method, great post

Rajesh said...

Great info thanks...!

James said...

Thank you for sharing this info! It helped me.

Matt Greene said...

The trouble is with this is that the websites themselves have to enable the Strict Transport Security header and, well, not many of them either do or will.

Aimey Alastair said...

Thank you for the information. It really helps. it is also us full for me . and thank`s again for shearing this....

vishal saxena said...

Thanks..............but what are the way of HTTPS security access...on the web....

Powered by Blogger.