Re: [WEB SECURITY] SSL does not = a secure website

I hate this thing with a passion. I actually have to use it.

God help anyone that needs to use it in an office environment, anyone
walking past your "cube" could _easily_ see what password you are
typing in.

-- Michael

On 3/29/06, Mark Mcdonald <mmcdonald@staff.iinet.net.au> wrote:
> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>
>
>
> -----Original Message-----
> From: James Strassburg [mailto:JStrassburg@directs.com]
> Sent: Wednesday, 29 March 2006 11:16 AM
> To: Sebastien Deleersnyder; Web Security; webappsec@securityfocus.com
> Subject: RE: [WEB SECURITY] SSL does not = a secure website
>
> There are additional countermeasures that a web application can
> implement.  For example, the app could have the user enter his/her
> password by clicking an onscreen keyboard or ask the user for random
> characters from their password (enter the 2nd, 4th and 10th character of
> your password).  I should state that while I've read about these I don't
> know of a web application that makes use of them.
>
> James Strassburg
>
> ________________________________
>
> From: Ryan Barnett [mailto:rcbarnett@gmail.com]
> Sent: Tuesday, March 28, 2006 8:10 AM
> To: Sebastien Deleersnyder
> Cc: Web Security; webappsec@securityfocus.com
> Subject: Re: [WEB SECURITY] SSL does not = a secure website
>
>
>
> On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder@ascure.com>
> wrote:
>
> Their is nothing that a website can do to prevent keyloggers on the
> user's machine.
>
> Well, now that I think about it, that is not entirely true...  Websites
> could front-end their web apps with applications such as Sygate (
> http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302
> <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )
> which can check the user's computer for some forms of malware (including
> keyloggers) and then place the user into a Java virtual machine to help
> protect user credentials.
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>
> -------------------------------------------------------------------------
> This List Sponsored by: SpiDynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------