Greenwolf
commented
4 years ago Securing Against PoisonTap
Server-Side Security
If you are running a web server, securing against PoisonTap is simple:
- Use HTTPS exclusively, at the very least for authentication and authenticated content
- Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
- Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
- When loading remote Javascript resources, use the Subresource Integrity script tag attribute
- Use HSTS to prevent HTTPS downgrade attacks
Desktop Security
- Adding cement to your USB and Thunderbolt ports can be effective
- Closing your browser every time you walk away from your machine can work, but is entirely impractical
- Disabling USB/Thunderbolt ports is also effective, though also impractical
- Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up
Reference: https://samy.pl/poisontap/
What are some defenses against PoisonTap?