WebApp Sec mailing list archives
RE: [WEB SECURITY] SSL does not = a secure website
From: "Mark Mcdonald" <mmcdonald () staff iinet net au>
Date: Wed, 29 Mar 2006 07:41:42 +0800
Westpac Bank in Australia has recently put an on-screen keyboard up. Check it out here: https://online.westpac.com.au/esis/Login/SrvPage -----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: Wednesday, 29 March 2006 11:16 AM To: Sebastien Deleersnyder; Web Security; webappsec () securityfocus com Subject: RE: [WEB SECURITY] SSL does not = a secure website There are additional countermeasures that a web application can implement. For example, the app could have the user enter his/her password by clicking an onscreen keyboard or ask the user for random characters from their password (enter the 2nd, 4th and 10th character of your password). I should state that while I've read about these I don't know of a web application that makes use of them. James Strassburg ________________________________ From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: Tuesday, March 28, 2006 8:10 AM To: Sebastien Deleersnyder Cc: Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com> wrote: Their is nothing that a website can do to prevent keyloggers on the user's machine. Well, now that I think about it, that is not entirely true... Websites could front-end their web apps with applications such as Sygate ( http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302 <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> ) which can check the user's computer for some forms of malware (including keyloggers) and then place the user into a Java virtual machine to help protect user credentials. --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)