[WEB SECURITY] SSL does not = a secure website

Ryan Barnett rcbarnett at gmail.com
Tue Mar 28 09:09:46 EST 2006


On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>
wrote:
>
>  Hi Ryan,
>
>
>
> What about a Trojan installed key logger?
>
Exellent point.  Keyloggers on client machines are probably more of a threat
to personal information than network sniffing.  SSL does nothing for local
keyloggers.  While this is true, the focus of my point was from the server's
view and not from the client's view.  Their is nothing that a website can do
to prevent keyloggers on the user's machine.

Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302) which can
check the user's computer for some forms of malware (including keyloggers)
and then place the user into a Java virtual machine to help protect user
credentials.

I have professionally used Sygate in this capacity and it works great to
help protect session info when trusted user is access your web app from an
untrusted computer.  The main problem that I would see to widespread
adoption of this would be end user awareness.  The vast majority of
net-izens would have a hard time understanding what was happening and out to
use it.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060328/56d06dc6/attachment.html>


More information about the websecurity mailing list