[WEB SECURITY] SSL does not = a secure website

michaelslists at gmail.com michaelslists at gmail.com
Tue Mar 28 21:01:29 EST 2006


Would a key logger be used in isolation anyway? Surely if you're
trying to hijack/view/steal/see web traffic you're going to be
watching & recording the traffic  anyway. Which means that it doesn't
matter at all how the password is "input".

-- Michael

On 3/29/06, Brian Eaton <eaton.lists at gmail.com> wrote:
> On 3/28/06, Ryan Barnett <rcbarnett at gmail.com> wrote:
> > Their is nothing that a website can do
> > to prevent keyloggers on the user's machine.
> >
> > Well, now that I think about it, that is not entirely true...  Websites
> > could front-end their web apps with applications such as Sygate (
> > http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302)
> > which can check the user's computer for some forms of malware (including
> > keyloggers) and then place the user into a Java virtual machine to help
> > protect user credentials.
>
> I haven't used Sygate, but I suspect that malware that can install a
> key logger could also hide from Sygate if it wanted to.
>
> Another option is to try to limit the damage a key logger can do.  For
> example, if your web site uses password authentication, a key logger
> can capture the password.  The attacker can later use that password to
> impersonate the end user.  If, OTOH, your web site uses some kind of
> two-factor authentication such as a hardware certificate + passphrase,
> the situation is much better.  The key logger can capture the
> passphrase, but it won't do much good to the attacker because they do
> not have the certificate.
>
> Of course this hypothetical malware is still in a very powerful
> position, sitting between the user and the web application and
> essentially doing whatever it pleases as the user.  But as soon as the
> user's session ends, the malware is locked out again.
>
> Regards,
> Brian
>
> -------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> --------------------------------------------------------------------------
>
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list