WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: michaelslists () gmail com
Date: Wed, 29 Mar 2006 14:25:28 +1100
I think you could still replay the old details, even if all you had to do was modify a "authorisationMethod=a" to "authorisationMethod=b". I don't know for sure though ... -- Michael On 3/29/06, Jeremy Bellwood <Jeremy.Bellwood () serengetilaw com> wrote:
I think ING Direct has done a pretty good job at evaluating the security concerns making it difficult for keyloggers. The question used for "Step 2" changes each page refresh. They also have a dynamically generated 10-key pad used in "Step 3" where a user either types the letters instead of the numbers OR click on the numbers. Since both "Step 2" and "Step 3" are dynamically generated with each page refresh I think it makes it significantly more difficult get all the information needed to impersonate a valid user. -Jeremy ________________________________ From: michaelslists () gmail com [mailto:michaelslists () gmail com] Sent: Tue 3/28/2006 5:54 PM To: Mark Mcdonald Cc: James Strassburg; Sebastien Deleersnyder; Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website I hate this thing with a passion. I actually have to use it. God help anyone that needs to use it in an office environment, anyone walking past your "cube" could _easily_ see what password you are typing in. -- Michael On 3/29/06, Mark Mcdonald <mmcdonald () staff iinet net au> wrote:Westpac Bank in Australia has recently put an on-screen keyboard up. Check it out here: https://online.westpac.com.au/esis/Login/SrvPage -----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: Wednesday, 29 March 2006 11:16 AM To: Sebastien Deleersnyder; Web Security; webappsec () securityfocus com Subject: RE: [WEB SECURITY] SSL does not = a secure website There are additional countermeasures that a web application can implement. For example, the app could have the user enter his/her password by clicking an onscreen keyboard or ask the user for random characters from their password (enter the 2nd, 4th and 10th character of your password). I should state that while I've read about these I don't know of a web application that makes use of them. James Strassburg ________________________________ From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: Tuesday, March 28, 2006 8:10 AM To: Sebastien Deleersnyder Cc: Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com> wrote: Their is nothing that a website can do to prevent keyloggers on the user's machine. Well, now that I think about it, that is not entirely true... Websites could front-end their web apps with applications such as Sygate ( http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302 <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> ) which can check the user's computer for some forms of malware (including keyloggers) and then place the user into a Java virtual machine to help protect user credentials. --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/ ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl ----------------------------------------------------------------------------------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website, (continued)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)