[WEB SECURITY] SSL does not = a secure website

Brian Eaton eaton.lists at gmail.com
Tue Mar 28 19:42:32 EST 2006


On 3/28/06, Ryan Barnett <rcbarnett at gmail.com> wrote:
> Their is nothing that a website can do
> to prevent keyloggers on the user's machine.
>
> Well, now that I think about it, that is not entirely true...  Websites
> could front-end their web apps with applications such as Sygate (
> http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302)
> which can check the user's computer for some forms of malware (including
> keyloggers) and then place the user into a Java virtual machine to help
> protect user credentials.

I haven't used Sygate, but I suspect that malware that can install a
key logger could also hide from Sygate if it wanted to.

Another option is to try to limit the damage a key logger can do.  For
example, if your web site uses password authentication, a key logger
can capture the password.  The attacker can later use that password to
impersonate the end user.  If, OTOH, your web site uses some kind of
two-factor authentication such as a hardware certificate + passphrase,
the situation is much better.  The key logger can capture the
passphrase, but it won't do much good to the attacker because they do
not have the certificate.

Of course this hypothetical malware is still in a very powerful
position, sitting between the user and the web application and
essentially doing whatever it pleases as the user.  But as soon as the
user's session ends, the malware is locked out again.

Regards,
Brian

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list