Securing Web Forms

If you visit a secure site (https), the data that is transmitted between the client and server is encrypted, so confidentiality is kept.

I was talking to someone earlier today and they said "yeah it's only protected between Point A and Point B, but as you're typing on the web form, that is clear text and puts you at risk. Meaning, you type a social security number in a web form field, if you have a keylogger on that machine, your info can be compromised. He then said, however, if the website is coded properly and is encrypting the web form fields as you type, then you'll be safe.

Is that really true? I would think a keylogger would be capture what you were typing regardless?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

soccarplayer29

If that was the conversation then your friend is wrong. There's no way a web-form being coded securely would be able to prevent keylogging malware from intercepting keyboard/bios interactions. If a website could be coded in such a way there would be lots of people in serious trouble (not talking about insecure plugins being exploited).

gespenstern

It definitely would IMO as it captures the keystrokes. It may help against something that captures in-browser data, Dridex style.

Also, there's no point on the web (unless we use client-based certificates in addition to server-based) to encrypt anything on the client side (using JavaScript I'm assuming) as the client is untrusted and can tamper with the client-side code. Some people (lastpass?) I believe still do that, but they do that more to a) provide some assurance to the clients that their passwords get hashed prior to leaving their devices b) to offload some processing on clients as password hashing is resource intensive.

mnashe

Thanks. I thought it sounded wrong but don't argue points that I'm not 100% sure about

gespenstern wrote: »

It definitely would IMO as it captures the keystrokes. It may help against something that captures in-browser data, Dridex style

Is this through some kind of injection?

gespenstern

mnashe wrote: »

Is this through some kind of injection?

Yeah, kind of. I'm not a browser expert and haven't researched this part of Dridex myself, but from what I've read they use some tech called "Browser Helper Objects" to capture stuff on the screen and even alter some entered data behind the scenes (to reroute the transfer to their own bank accounts I assume).

mnashe

wow, interesting. Thanks for the info