Protecting Against Firesheep with Strict Transport Security

Monday, December 27, 2010

Bozidar Spirovski


Article by Michael Coates

Strict Transport Security is a great solution to protecting against Firesheep

Now ultimately the vulnerable website is supposed to fix this issue on their side. But, let's not wait around for them. Let's fix it on our side and protect our traffic now.

Step 1: Grab a browser that supports Strict Transport Security (Firefox 4 & Google Chrome both support STS)

Step 2: Install an add-on that lets you add specific STS settings - STS-UI

Step 3: Configure STS-UI for the sites you're concerned about

Step 4: Be happy your data is more secure. However, securely transmitting data is only one piece of the security pie. But at least you're good in that department.

Configuring STS-UI

Go to tools->Manager Strict Transport Security


Enter the domain name of each site you wish to protect (e.g. force Strict Transport Security upon the site). For example enter "" and select "Force subdomains too"


After adding and it should look like this:


Done. Now you will always be using HTTPS for data exchanged between twitter or Facebook.

Remember, this only protects you against sites that are either already using STS or sites that you have manually added. This really isn't a scalable approach since could be vulnerable and you wouldn't know unless you inspected the traffic going back and forth.

For those that have access to company VPNs or SSH tunnels for their traffic, I'd recommend you also use those when accessing the network from a wireless hotspot.

A VPN doesn't solve the problem, but it does remove access from the likely attackers (e.g. other random users of the wireless hot-spot).

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide. The original text is published on ...Application Security...

Cross-posted from Short Infosec

Possibly Related Articles:
SSH VPN firesheep Transport Security STS-UI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.