WebApp Sec mailing list archives

Re: [WEB SECURITY] SSL does not = a secure website

From: "Brian Eaton" <eaton.lists () gmail com>
Date: Tue, 28 Mar 2006 19:42:32 -0500

On 3/28/06, Ryan Barnett <rcbarnett () gmail com> wrote:

Their is nothing that a website can do
to prevent keyloggers on the user's machine.

Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302)
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.


I haven't used Sygate, but I suspect that malware that can install a
key logger could also hide from Sygate if it wanted to.

Another option is to try to limit the damage a key logger can do.  For
example, if your web site uses password authentication, a key logger
can capture the password.  The attacker can later use that password to
impersonate the end user.  If, OTOH, your web site uses some kind of
two-factor authentication such as a hardware certificate + passphrase,
the situation is much better.  The key logger can capture the
passphrase, but it won't do much good to the attacker because they do
not have the certificate.

Of course this hypothetical malware is still in a very powerful
position, sitting between the user and the web application and
essentially doing whatever it pleases as the user.  But as soon as the
user's session ends, the malware is locked out again.

Regards,
Brian

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
    - RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website James Strassburg (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- RE: [WEB SECURITY] SSL does not = a secure website Jeremy Bellwood (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website PPowenski (Mar 29)