There are additional countermeasures that a web application can
implement. For example, the app could have the user enter his/her
password by clicking an onscreen keyboard or ask the user for random
characters from their password (enter the 2nd, 4th and 10th character of
your password). I should state that while I've read about these I don't
know of a web application that makes use of them.
James Strassburg
________________________________
From: Ryan Barnett [mailto:rcbarnett_at_gmail.com]
Sent: Tuesday, March 28, 2006 8:10 AM
To: Sebastien Deleersnyder
Cc: Web Security; webappsec_at_securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website
On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder_at_ascure.com>
wrote:
Their is nothing that a website can do to prevent keyloggers on the
user's machine.
Well, now that I think about it, that is not entirely true... Websites
could front-end their web apps with applications such as Sygate (
http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
<http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
which can check the user's computer for some forms of malware (including
keyloggers) and then place the user into a Java virtual machine to help
protect user credentials.
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 28 2006
Intro
