RE: [WEB SECURITY] SSL does not = a secure website

["James Strassburg" <JStrassburg () directs com>]

There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.

James Strassburg

________________________________

From: Ryan Barnett [mailto:rcbarnett () gmail com] 
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec () securityfocus com
Subject: Re: [WEB SECURITY] SSL does not = a secure website



On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com>
wrote: 

Their is nothing that a website can do to prevent keyloggers on the
user's machine. 
 
Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.  


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------