[WEB SECURITY] SSL does not = a secure website

James Strassburg JStrassburg at directs.com
Tue Mar 28 18:16:09 EST 2006

There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.

James Strassburg


From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec at securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website

On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>

Their is nothing that a website can do to prevent keyloggers on the
user's machine. 
Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.  

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list