WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Tue, 28 Mar 2006 19:42:32 -0500
On 3/28/06, Ryan Barnett <rcbarnett () gmail com> wrote:
Their is nothing that a website can do to prevent keyloggers on the user's machine. Well, now that I think about it, that is not entirely true... Websites could front-end their web apps with applications such as Sygate ( http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302) which can check the user's computer for some forms of malware (including keyloggers) and then place the user into a Java virtual machine to help protect user credentials.
I haven't used Sygate, but I suspect that malware that can install a key logger could also hide from Sygate if it wanted to. Another option is to try to limit the damage a key logger can do. For example, if your web site uses password authentication, a key logger can capture the password. The attacker can later use that password to impersonate the end user. If, OTOH, your web site uses some kind of two-factor authentication such as a hardware certificate + passphrase, the situation is much better. The key logger can capture the passphrase, but it won't do much good to the attacker because they do not have the certificate. Of course this hypothetical malware is still in a very powerful position, sitting between the user and the web application and essentially doing whatever it pleases as the user. But as soon as the user's session ends, the malware is locked out again. Regards, Brian ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)