|
WebApp Sec
mailing list archives
Re: keyloggers? - dont doit
From: Antoine Martin <antoine () nagafix co uk>
Date: Wed, 06 Apr 2005 20:11:42 +0100
On Wed, 2005-04-06 at 05:23 -0700, Alvin Oga wrote:
hi ya
You've asked for best practice when accessing your online bank from an
Internet Cafe ? Here it is:
Don't.
dont do it .. even if it is using https .. ssl can be broken
- anything sent over the internet is sniffable from
anywhere in the world
from anywhere in the world? you mean any host along the route if you
have full access to it, not quite the same. and with https... see below
- even if its your own laptop at the cafe, you do not
know what other spyware and sniffing hardware toys they
have on their network
Who cares? If you trust your laptop and use https, I don't see how any
sniffer is ever going to get anything out of the data streams.
Now AFAIK, session riding is near-impossible with https and as long as
the authenticity of the https site can be checked by the authorities on
the laptop's browser software, you're fine, you're not relying on any of
the cafe's infrastructure to authenticate the other end of your
encrypted connection.
touch screens and usb will not help, as the end result
is still sent the same ole fashion way on the ethernet cables
if it's sent through https (on your own laptop), it doesn't matter.
encryption occurs before it enters the wire.
Antoine
- but if yu dont like to be told/recommended, don't do it,
please try it and see how long it takes before someone
empties your bank acct
c ya
alvin
 By Date 
By Thread
Current thread:
- Re: keyloggers?, (continued)
Re: keyloggers? Gareth Davies (Apr 06)
| 
Intro
