The problem is that if the browser is compromised, you can't stop it. They'll have access to everything: the session, the user's password, etc. At that point, anything you try to do to harden your application would have to be done in JavaScript, and the attacker will have complete access to that JavaScript. It might slow them down, but it's nothing more than security by obscurity. SSL by itself stops all of the usual attack vectors (man-in-the-middle, replay, etc.), but there is simply nothing you can do if the browser is compromised. Zip. Zero. It's the user's responsibility, not yours. By transmitting all sensitive information over SSL and not sending the user anything you don't want them to have access to, you're already doing everything you can.
On Oct 13, 11:27 am, JuDaC <[email protected]> wrote: > Sure Jeff, any web page can suffer this attack. > > For keylogger there a simple any to prevent the attack. so to > screenlogger. > > But for "men in the middle" attack? is there any way to prevent > without doing something on client-side? > > I was thinking in create some info that is sensible to browser frame > here the page is running, so this info is sent together on the > request, > this info is unique per request, and is sensible to information on the > request. This along with the obfuscation provided by GWT, can offer > a little more security to the server to identify that the request is > from a real client and not from a phishing. > > but so far I can not think in something more reliable. > > Falcon, you are right. I can't prevent the user from seeing the > information, but what I want is to prevent someone to hijack the > session (by racking the user) and keep sending to the server > repeatedly the same package, or worst changing some informations on > the package. > > Can you imagine the problem that can it cause on the bank website? > > in this situation, is really important to ensure that the request that > reaches the server where made by a real user. Even that plugging that > some banks ask to install can't prevent you from this attack I > mentioned. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
