WebApp Sec mailing list archives

RE: [WEB SECURITY] SSL does not = a secure website

From: <PPowenski () oag com>
Date: Wed, 29 Mar 2006 10:25:48 +0100

FYI...

A recent purchase I made at DABS www.dabs.co.uk utilized this technique
when the Verify by Visa component launched at the conclusion of the CC
authorization process.


-----Original Message-----
From: James Strassburg [mailto:JStrassburg () directs com] 
Sent: 29 March 2006 00:16
To: Sebastien Deleersnyder; Web Security; webappsec () securityfocus com
Subject: RE: [WEB SECURITY] SSL does not = a secure website


There are additional countermeasures that a web application can
implement.  For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password).  I should state that while I've read about these I don't
know of a web application that makes use of them.

James Strassburg

________________________________

From: Ryan Barnett [mailto:rcbarnett () gmail com] 
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec () securityfocus com
Subject: Re: [WEB SECURITY] SSL does not = a secure website



On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com>
wrote: 

Their is nothing that a website can do to prevent keyloggers on the
user's machine. 
 
Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.  


------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--
This e-mail is intended for the named recipient(s).  It and any attachments may contain privileged and/or confidential 
information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient.  
If you are not one of the intended recipients, or this email is received in error, please immediately either notify the 
sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to 
which it has been sent and then delete it and any attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its 
affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, 
and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor 
the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email 
and any attachments.  
OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for 
other lawful purposes.  By replying to this email you give your consent to such monitoring. 
Thank you.
OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered 
office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom.


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Re: [WEB SECURITY] SSL does not = a secure website, (continued)
- - - Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website James Strassburg (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
    - Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- RE: [WEB SECURITY] SSL does not = a secure website Jeremy Bellwood (Mar 28)
  - Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website PPowenski (Mar 29)