WebApp Sec mailing list archives
RE: [WEB SECURITY] SSL does not = a secure website
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 29 Mar 2006 19:54:52 +1100
See http://www.dotsec.com/onBank.html for an old flaw that directly affects this. Lyal -----Original Message----- From: Andrew van der Stock [mailto:vanderaj () greebo net] Sent: Wednesday, 29 March 2006 1:14 PM To: Mark Mcdonald Cc: James Strassburg; Sebastien Deleersnyder; Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website If you look carefully about how it's implemented, it cannot help if a Trojan is onboard gathering the requisite login information, such as a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123", the value submitted to the website is the same every time. This virtual keyboard implementation is not robust against anything but keylogging trojans. Therefore it's security theatre. As a Westpac customer, I find this frustrating as I have to use this "feature" in public places frequently, and I'm more concerned about shoulder surfing in those places. An example Trojan which is close to breaking the new virtual keyboard: http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html These virtual keyboards violate accessibility requirements (which are required to be accessible by law here), and do not fix the primary issue - phishing. There's little value in getting into any particular user's Internet Banking session. The value to the phisher is to conduct transactions, particularly to move funds out of the country. The only way to reduce the risk of that today is transaction signing. There are many different ways of doing this. As a Westpac customer, I'd prefer it they didn't spend good money on useless toys, but on real ways to reduce fraud and risk to me. Andrew On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:
Westpac Bank in Australia has recently put an on-screen keyboard up. Check it out here: https://online.westpac.com.au/esis/Login/SrvPage
------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] SSL does not = a secure website Sebastien Deleersnyder (Mar 28)
- <Possible follow-ups>
- Re: [WEB SECURITY] SSL does not = a secure website Richard St John (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
