Securing Web Forms
If you visit a secure site (https), the data that is transmitted between the client and server is encrypted, so confidentiality is kept.
I was talking to someone earlier today and they said "yeah it's only protected between Point A and Point B, but as you're typing on the web form, that is clear text and puts you at risk. Meaning, you type a social security number in a web form field, if you have a keylogger on that machine, your info can be compromised. He then said, however, if the website is coded properly and is encrypting the web form fields as you type, then you'll be safe.
Is that really true? I would think a keylogger would be capture what you were typing regardless?
I was talking to someone earlier today and they said "yeah it's only protected between Point A and Point B, but as you're typing on the web form, that is clear text and puts you at risk. Meaning, you type a social security number in a web form field, if you have a keylogger on that machine, your info can be compromised. He then said, however, if the website is coded properly and is encrypting the web form fields as you type, then you'll be safe.
Is that really true? I would think a keylogger would be capture what you were typing regardless?
Comments
-
soccarplayer29 Member Posts: 230 ■■■□□□□□□□If that was the conversation then your friend is wrong. There's no way a web-form being coded securely would be able to prevent keylogging malware from intercepting keyboard/bios interactions. If a website could be coded in such a way there would be lots of people in serious trouble (not talking about insecure plugins being exploited).Certs: CISSP, CISA, PMP
-
gespenstern Member Posts: 1,243 ■■■■■■■■□□It definitely would IMO as it captures the keystrokes. It may help against something that captures in-browser data, Dridex style.
Also, there's no point on the web (unless we use client-based certificates in addition to server-based) to encrypt anything on the client side (using JavaScript I'm assuming) as the client is untrusted and can tamper with the client-side code. Some people (lastpass?) I believe still do that, but they do that more to a) provide some assurance to the clients that their passwords get hashed prior to leaving their devices b) to offload some processing on clients as password hashing is resource intensive. -
mnashe Member Posts: 136 ■■■□□□□□□□Thanks. I thought it sounded wrong but don't argue points that I'm not 100% sure aboutgespenstern wrote: »It definitely would IMO as it captures the keystrokes. It may help against something that captures in-browser data, Dridex style
Is this through some kind of injection? -
gespenstern Member Posts: 1,243 ■■■■■■■■□□Is this through some kind of injection?
Yeah, kind of. I'm not a browser expert and haven't researched this part of Dridex myself, but from what I've read they use some tech called "Browser Helper Objects" to capture stuff on the screen and even alter some entered data behind the scenes (to reroute the transfer to their own bank accounts I assume).