On Saturday 23 Jan 2016 09:55:35 Rich Freeman wrote: > On Sat, Jan 23, 2016 at 8:25 AM, Mick <michaelkintz...@gmail.com> wrote: > > On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > If a user certificate is lost of feared compromised, you revoke it with > >> > your CA and upload the CRL to the server. > >> > > >> > However, this won't do away with XSS, or other similar attack vectors > >> > if > >> > the users are not careful with their browsing habits. > >> > >> Can you give me an example? > > > > If your coder has another website page open in his/her browser which > > contains for example XSS or CSRF code, then the webpage of your company's > > web app could be potentially compromised by your user inadvertently > > executing state changing commands on it. By providing a XSS payload the > > attacker could execute commands to change username/passwd, change email > > address, etc. This is one reason that Internet Banking providers always > > advise their users to log out and then exit their browser when they have > > finished their online banking.
> The other obvious attack would be simply stealing your session cookies > or SSL client certificate+key out of the browser's RAM, or off of > disk. Yes, session hi/sidejacking is possible, as well as obtaining sensitive information that the browser has happened to cache. High value information like credit card details should have a no-cache, no-store, Expires:0, but I bet there are some websites out there which do not guard against this threat. I would have thought SSL certificates/keys would be protected in RAM, but if you have a Man-In-The-Browser attack I guess they wouldn't be. If you are using a VPN connection as a split-tunnel then although your connection to the LAN would be secure, browser credentials could still be stolen by browser sessions connecting to suspect websites outside the tunnel. It has to be a full VPN tunnel with forwarding Internet access blocked at the VPN gateway, for clients to mitigate this threat. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
