[WEB SECURITY] SSL does not = a secure website

michaelslists at gmail.com michaelslists at gmail.com
Tue Mar 28 22:25:28 EST 2006


I think you could still replay the old details, even if all you had to
do was modify a "authorisationMethod=a" to "authorisationMethod=b". I
don't know for sure though ...

-- Michael

On 3/29/06, Jeremy Bellwood <Jeremy.Bellwood at serengetilaw.com> wrote:
> I think ING Direct has done a pretty good job at evaluating the security concerns making it difficult for keyloggers.
>
> The question used for "Step 2" changes each page refresh.  They also have a dynamically generated 10-key pad used in "Step 3" where a user either types the letters instead of the numbers OR click on the numbers.
>
> Since both "Step 2" and "Step 3" are dynamically generated with each page refresh I think it makes it significantly more difficult get all the information needed to impersonate a valid user.
>
> -Jeremy
>
> ________________________________
>
> From: michaelslists at gmail.com [mailto:michaelslists at gmail.com]
> Sent: Tue 3/28/2006 5:54 PM
> To: Mark Mcdonald
> Cc: James Strassburg; Sebastien Deleersnyder; Web Security; webappsec at securityfocus.com
> Subject: Re: [WEB SECURITY] SSL does not = a secure website
>
>
>
> I hate this thing with a passion. I actually have to use it.
>
> God help anyone that needs to use it in an office environment, anyone
> walking past your "cube" could _easily_ see what password you are
> typing in.
>
> -- Michael
>
> On 3/29/06, Mark Mcdonald <mmcdonald at staff.iinet.net.au> wrote:
> > Westpac Bank in Australia has recently put an on-screen keyboard up.
> > Check it out here:
> >
> > https://online.westpac.com.au/esis/Login/SrvPage
> >
> >
> >
> > -----Original Message-----
> > From: James Strassburg [mailto:JStrassburg at directs.com]
> > Sent: Wednesday, 29 March 2006 11:16 AM
> > To: Sebastien Deleersnyder; Web Security; webappsec at securityfocus.com
> > Subject: RE: [WEB SECURITY] SSL does not = a secure website
> >
> > There are additional countermeasures that a web application can
> > implement.  For example, the app could have the user enter his/her
> > password by clicking an onscreen keyboard or ask the user for random
> > characters from their password (enter the 2nd, 4th and 10th character of
> > your password).  I should state that while I've read about these I don't
> > know of a web application that makes use of them.
> >
> > James Strassburg
> >
> > ________________________________
> >
> > From: Ryan Barnett [mailto:rcbarnett at gmail.com]
> > Sent: Tuesday, March 28, 2006 8:10 AM
> > To: Sebastien Deleersnyder
> > Cc: Web Security; webappsec at securityfocus.com
> > Subject: Re: [WEB SECURITY] SSL does not = a secure website
> >
> >
> >
> > On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder at ascure.com>
> > wrote:
> >
> > Their is nothing that a website can do to prevent keyloggers on the
> > user's machine.
> >
> > Well, now that I think about it, that is not entirely true...  Websites
> > could front-end their web apps with applications such as Sygate (
> > http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
> > <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
> > which can check the user's computer for some forms of malware (including
> > keyloggers) and then place the user into a Java virtual machine to help
> > protect user credentials.
> >
> >
> > ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
> > -------------------------------------------------------------------------
> > This List Sponsored by: SpiDynamics
> >
> > ALERT: "How A Hacker Launches A Web Application Attack!"
> > Step-by-Step - SPI Dynamics White Paper
> > Learn how to defend against Web Application Attacks with real-world
> > examples of recent hacking methods such as: SQL Injection, Cross Site
> > Scripting and Parameter Manipulation
> >
> > https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> > --------------------------------------------------------------------------
> >
> >
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
>
>
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list