[WEB SECURITY] SSL does not = a secure website

Mark Mcdonald mmcdonald at staff.iinet.net.au
Tue Mar 28 18:41:42 EST 2006


Westpac Bank in Australia has recently put an on-screen keyboard up.
Check it out here:

https://online.westpac.com.au/esis/Login/SrvPage



-----Original Message-----
From: James Strassburg [mailto:JStrassburg at directs.com] 
Sent: Wednesday, 29 March 2006 11:16 AM
To: Sebastien Deleersnyder; Web Security; webappsec at securityfocus.com
Subject: RE: [WEB SECURITY] SSL does not = a secure website

There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.

James Strassburg

________________________________

From: Ryan Barnett [mailto:rcbarnett at gmail.com] 
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec at securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website



On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>
wrote: 

Their is nothing that a website can do to prevent keyloggers on the
user's machine. 
 
Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.  


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list