WebApp Sec mailing list archives

RE: [WEB SECURITY] SSL does not = a secure website

From: "Jeremy Bellwood" <Jeremy.Bellwood () serengetilaw com>
Date: Tue, 28 Mar 2006 18:19:20 -0800

I think ING Direct has done a pretty good job at evaluating the security concerns making it difficult for keyloggers.
 
The question used for "Step 2" changes each page refresh.  They also have a dynamically generated 10-key pad used in 
"Step 3" where a user either types the letters instead of the numbers OR click on the numbers.
 
Since both "Step 2" and "Step 3" are dynamically generated with each page refresh I think it makes it significantly 
more difficult get all the information needed to impersonate a valid user.
 
-Jeremy

________________________________

From: michaelslists () gmail com [mailto:michaelslists () gmail com]
Sent: Tue 3/28/2006 5:54 PM
To: Mark Mcdonald
Cc: James Strassburg; Sebastien Deleersnyder; Web Security; webappsec () securityfocus com
Subject: Re: [WEB SECURITY] SSL does not = a secure website



I hate this thing with a passion. I actually have to use it.

God help anyone that needs to use it in an office environment, anyone
walking past your "cube" could _easily_ see what password you are
typing in.

-- Michael

On 3/29/06, Mark Mcdonald <mmcdonald () staff iinet net au> wrote:

Westpac Bank in Australia has recently put an on-screen keyboard up.
Check it out here:

https://online.westpac.com.au/esis/Login/SrvPage



-----Original Message-----
From: James Strassburg [mailto:JStrassburg () directs com]
Sent: Wednesday, 29 March 2006 11:16 AM
To: Sebastien Deleersnyder; Web Security; webappsec () securityfocus com
Subject: RE: [WEB SECURITY] SSL does not = a secure website

There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.

James Strassburg

________________________________

From: Ryan Barnett [mailto:rcbarnett () gmail com]
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec () securityfocus com
Subject: Re: [WEB SECURITY] SSL does not = a secure website



On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com>
wrote:

Their is nothing that a website can do to prevent keyloggers on the
user's machine.

Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/




-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Re: [WEB SECURITY] SSL does not = a secure website, (continued)
- - Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
    - RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website James Strassburg (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- RE: [WEB SECURITY] SSL does not = a secure website Jeremy Bellwood (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website PPowenski (Mar 29)