[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] SSL does not = a secure website

From: Andrew van der Stock <vanderaj@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Wed, 29 Mar 2006 13:14:26 +1100

--Apple-Mail-34--64973873
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

If you look carefully about how it's implemented, it cannot help if a  
Trojan is onboard gathering the requisite login information, such as  
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",  
the value submitted to the website is the same every time. This  
virtual keyboard implementation is not robust against anything but  
keylogging trojans. Therefore it's security theatre. As a Westpac  
customer, I find this frustrating as I have to use this "feature" in  
public places frequently, and I'm more concerned about shoulder  
surfing in those places.

An example Trojan which is close to breaking the new virtual keyboard:
http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html

These virtual keyboards violate accessibility requirements (which are  
required to be accessible by law here), and do not fix the primary  
issue - phishing.

There's little value in getting into any particular user's Internet  
Banking session. The value to the phisher is to conduct transactions,  
particularly to move funds out of the country. The only way to reduce  
the risk of that today is transaction signing. There are many  
different ways of doing this. As a Westpac customer, I'd prefer it  
they didn't spend good money on useless toys, but on real ways to  
reduce fraud and risk to me.

Andrew

On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:

> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>

--Apple-Mail-34--64973873
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF7TCCAqYw
ggIPoAMCAQICEHDpbeyPC2HmVmzK8H4pbTYwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDEyMTEyNTgzMFoXDTA3MDEyMTEyNTgz
MFowbDEWMBQGA1UEBBMNdmFuIGRlciBTdG9jazEPMA0GA1UEKhMGQW5kcmV3MR0wGwYDVQQDExRB
bmRyZXcgdmFuIGRlciBTdG9jazEiMCAGCSqGSIb3DQEJARYTdmFuZGVyYWpAZ3JlZWJvLm5ldDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1BjiSYD8iJZtifLladCqzbUh8tWD0iOHVLtjEG/9
ZRZvKE7htblQLGPTGvip4jqqtTRnaH/pPD4offdhKMYk0KNU7c3zRXXTbeHHeT+41uAcSkrwQtep
tTtZyr1C9jv0g+qCT0yZKjnTB6Q7bJ9mXXQwzC+2Ow5+w5TcbMyh5WkCAwEAAaNTMFEwDgYDVR0P
AQH/BAQDAgP4MBEGCWCGSAGG+EIBAQQEAwIFIDAeBgNVHREEFzAVgRN2YW5kZXJhakBncmVlYm8u
bmV0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAhN6eYx2tYnW/LrbI+fS5oKlm69M9
cCTxl2gTZnaYc2G737mU7X7UTuDx8ALB2AkYjk/C3nbKJ/FbPbVEocZZahgWJcBzwL6lrtw4GwZ4
on/t+SFjDzsZN6ZqNr27GX/MrtxjCeBiNsi78yytkNIMXnwgqexN+0NMaDRfgUYJqnEwggM/MIIC
qKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo
YXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSm
PFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnw
K4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDig
NqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0G
CSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u
9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYICjzCCAosCAQEwdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEHDpbeyPC2HmVmzK8H4pbTYwCQYFKw4DAhoF
AKCCAW8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDYwMzI5MDIx
NDI3WjAjBgkqhkiG9w0BCQQxFgQUc8YlXRrIDod0U9JJYR+gvZDH+EMwgYUGCSsGAQQBgjcQBDF4
MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBw6W3sjwth5lZs
yvB+KW02MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBJc3N1aW5nIENBAhBw6W3sjwth5lZsyvB+KW02MA0GCSqGSIb3DQEBAQUABIGAOt+sv4+Sen5s
7HXsgQgCFiHd4A+P/cuem46wuyXDZu/u38CFlxSHmwPleQEX3kywY36M37PLmvCGa3XR7JLhnzuV
MZvV1d9FWQV/VMt81WGdyhOCOWK1zDdaaYEh01habXa4enqRjYHkeWUeG0KTHemoMBA0K/0V8iID
ewOfXKgAAAAAAAA=

--Apple-Mail-34--64973873--

Follow-Ups:
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Lyal Collins

References:
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Mark Mcdonald

Prev by Date: [WEB SECURITY] Owasp SiteGenerator v0.70 (public beta release)
Next by Date: RE: [WEB SECURITY] SSL does not = a secure website
Previous by thread: Re: [WEB SECURITY] SSL does not = a secure website
Next by thread: RE: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org