WebApp Sec mailing list archives
RE: [WEB SECURITY] SSL does not = a secure website
From: <PPowenski () oag com>
Date: Wed, 29 Mar 2006 10:25:48 +0100
FYI... A recent purchase I made at DABS www.dabs.co.uk utilized this technique when the Verify by Visa component launched at the conclusion of the CC authorization process. -----Original Message----- From: James Strassburg [mailto:JStrassburg () directs com] Sent: 29 March 2006 00:16 To: Sebastien Deleersnyder; Web Security; webappsec () securityfocus com Subject: RE: [WEB SECURITY] SSL does not = a secure website There are additional countermeasures that a web application can implement. For example, the app could have the user enter his/her password by clicking an onscreen keyboard or ask the user for random characters from their password (enter the 2nd, 4th and 10th character of your password). I should state that while I've read about these I don't know of a web application that makes use of them. James Strassburg ________________________________ From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: Tuesday, March 28, 2006 8:10 AM To: Sebastien Deleersnyder Cc: Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com> wrote: Their is nothing that a website can do to prevent keyloggers on the user's machine. Well, now that I think about it, that is not entirely true... Websites could front-end their web apps with applications such as Sygate ( http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302 <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> ) which can check the user's computer for some forms of malware (including keyloggers) and then place the user into a Java virtual machine to help protect user credentials. ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- This e-mail is intended for the named recipient(s). It and any attachments may contain privileged and/or confidential information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If you are not one of the intended recipients, or this email is received in error, please immediately either notify the sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to which it has been sent and then delete it and any attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for other lawful purposes. By replying to this email you give your consent to such monitoring. Thank you. OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom. ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] SSL does not = a secure website, (continued)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website James Strassburg (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- RE: [WEB SECURITY] SSL does not = a secure website Jeremy Bellwood (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website PPowenski (Mar 29)