[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] SSL does not = a secure website

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Tue, 28 Mar 2006 09:09:46 -0500

------=_Part_20119_20298022.1143554986805
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder@ascure.com>
wrote:
>
>  Hi Ryan,
>
>
>
> What about a Trojan installed key logger?
>
Exellent point.  Keyloggers on client machines are probably more of a threa=
t
to personal information than network sniffing.  SSL does nothing for local
keyloggers.  While this is true, the focus of my point was from the server'=
s
view and not from the client's view.  Their is nothing that a website can d=
o
to prevent keyloggers on the user's machine.

Well, now that I think about it, that is not entirely true...  Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=3Dprodinfo&refId=3D1302) whic=
h can
check the user's computer for some forms of malware (including keyloggers)
and then place the user into a Java virtual machine to help protect user
credentials.

I have professionally used Sygate in this capacity and it works great to
help protect session info when trusted user is access your web app from an
untrusted computer.  The main problem that I would see to widespread
adoption of this would be end user awareness.  The vast majority of
net-izens would have a hard time understanding what was happening and out t=
o
use it.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

------=_Part_20119_20298022.1143554986805
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<br>
<div><span class=3D"gmail_quote">On 3/28/06, <b class=3D"gmail_sendername">=
Sebastien Deleersnyder</b> &lt;<a href=3D"mailto:sebastien.deleersnyder@asc=
ure.com">sebastien.deleersnyder@ascure.com</a>&gt; wrote:</span>
<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div style=3D"DIRECTION: ltr">
<div>
<p><font face=3D"Arial" color=3D"navy" size=3D"2"><span style=3D"FONT-SIZE:=
 10pt; COLOR: navy; FONT-FAMILY: Arial">Hi Ryan,</span></font></p>
<p><font face=3D"Arial" color=3D"navy" size=3D"2"><span style=3D"FONT-SIZE:=
 10pt; COLOR: navy; FONT-FAMILY: Arial">&nbsp;</span></font></p>
<p><font face=3D"Arial" color=3D"navy" size=3D"2"><span style=3D"FONT-SIZE:=
 10pt; COLOR: navy; FONT-FAMILY: Arial">What about a Trojan installed key l=
ogger? </span></font></p></div></div></blockquote>
<div>Exellent point.&nbsp; Keyloggers on client machines are probably more =
of a threat to personal information than network sniffing.&nbsp; SSL does n=
othing for local keyloggers.&nbsp; While this is true, the focus of my poin=
t was from the server's view and not from the client's view.&nbsp; Their is=
 nothing that a website can do to prevent keyloggers on the user's machine.
</div>
<div>&nbsp;</div>
<div>Well, now that I think about it, that is not entirely true...&nbsp; We=
bsites could front-end their web apps with applications such as Sygate (<a =
href=3D"http://www.symantec.com/Products/enterprise?c=3Dprodinfo&amp;refId=
=3D1302">
http://www.symantec.com/Products/enterprise?c=3Dprodinfo&amp;refId=3D1302</=
a>) which can check the user's computer for some forms of malware (includin=
g keyloggers) and then place the user into a Java virtual machine to help p=
rotect user credentials.&nbsp;=20
</div>
<div>&nbsp;</div>
<div>I have professionally used Sygate in this capacity and it works great =
to help protect session info when trusted user is access your web app from =
an untrusted computer.&nbsp; The main problem that I would see to widesprea=
d adoption of this would be end user awareness.&nbsp; The vast majority of =
net-izens would have a hard time understanding what was happening and out t=
o use it.
</div></div><br>-- <br>Ryan C. Barnett<br>Web Application Security Consorti=
um (WASC) Member<br>CIS Apache Benchmark Project Lead<br>SANS Instructor: S=
ecuring Apache<br>GCIA, GCFA, GCIH, GSNA, GCUX, GSEC<br>Author: Preventing =
Web Attacks with Apache=20

------=_Part_20119_20298022.1143554986805--

Follow-Ups:
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Brian Eaton

Prev by Date: RE: [WEB SECURITY] SSL does not = a secure website
Next by Date: Re: [WEB SECURITY] SSL does not = a secure website
Previous by thread: Re: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org