Password Security

Discussion in 'privacy technology' started by JConLine, Feb 15, 2011.

Thread Status:
Not open for further replies.
  1. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    107
    I have been reading, with interest, the discussion on Tor. But most of the posters agree that private data should not be entered into web forms due to the insecurity of the exit node. So my question is what is the best way to enter login data into a web form, say PayPal?

    I currently use LInux with a LInux VM and Tor with the Tor Button, but this is for browsing only. If entering login data I use a separate browser, Linux, and KeePass; I drag 'n' drop any login data. Is there a better way to handle login data?

    I don't use online banking but I have a good friend who does and she currently uses XP, IE, and enters her login data by keyboard with each login. Would a LInux VM, used only for Banking, be more secure than what she is now doing? How would you advise her?

    Thanks,

    Jim
     
    Last edited: Feb 15, 2011
  2. katio

    katio Guest

    There's no point in using a proxy if Paypal already has your credit card...
    If you know how a valid EV cert looks like (more details + screenshot for PayPal http://en.wikipedia.org/wiki/Extended_validation ;)) Tor exit nodes, other proxies or insecure wifi don't pose an additional risk.

    About dragging and dropping passwords: This only helps against a limited set of simple local malware. Modern bank trojans and Man or "Boy in the Browser" attacks will not be thwarted. Of course those are largely targeted at Windows and browsers running under a Windows OS. A VM running within an infected system only offers limited protection. Keyloggers, screencaptures etc will obviously still work. However, in such environment copy and pasting passwords instead of typing them does make a difference.

    I'd advise her to use a live cd for online banking. It's easier and more secure but she needs to reboot her computer.
     
  3. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    107
    If I may ask, what would be your login strategy for PayPal?

    Jim
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. katio

    katio Guest

    Reboot into the live environment, open the browser, enter paypal.com manually, check the certificate, find that sticky note with the password I can impossibly remember, enter my credentials, make the transaction, log out and immediately reboot again.

    One thing to keep in mind is that live cds aren't updated that often. A few months after their release they will have serious vulnerabilities in the OS and browser!
    That means you should never visit untrusted sites with it. However not being Windows reduces the risk dramatically.
    Theoretically there's the risk that someone makes a MITM, installs a keylogger and then redirects you to the real site. Being on a trusted network renders this not only improbable but pretty much impossible. It could only really work in a very targeted scenario.

    The most secure option would be to keep a separate physical system where you install Linux (hardened with Apparmor/SELinux and whatever you fancy) which you keep updated and which you only use for online banking.

    I don't want to alienate you. If you know a bit about security and have it configured securely the chances that your primary OS are infected are already minuscule. Finally let's not forget what the actual risk is we are dealing with: In most cases of online fraud you aren't liable.
     
  6. JConLine

    JConLine Registered Member

    Joined:
    Apr 16, 2009
    Posts:
    107
    Thanks for the information.

    It's not so much the monetary loss but the compromise of personal id info with the possibility of identity theft; then the ongoing problems that result.

    I'm going to pass your advice on to my online banking friend.

    Jim
     
  7. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    I think it's also worth to mention that in latest IE9 RC browser MS takes care about mixed content on the websites:
    http://ie.microsoft.com/testdrive/Browser/MixedContent/Default.html
     
  8. katio

    katio Guest

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      11.7 KB
      Views:
      278
    • 2.PNG
      2.PNG
      File size:
      193.6 KB
      Views:
      5
    • 3.PNG
      3.PNG
      File size:
      183.9 KB
      Views:
      4
    • 5.jpg
      5.jpg
      File size:
      252.1 KB
      Views:
      5
  9. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Interesting since I don't see any "security warning" pop-up like in your case from my Firefox (3.6.13).
    Below is a screen from IE9 after enter login/pass:
     

    Attached Files:

  10. katio

    katio Guest

    This only pops up the first time you encounter such a site unless you tick that checkbox. However, on a Live CD every reboot is like a fresh install so you'd see that warning ;)

    I know IE9 doesn't show it but I honestly have no idea why the site serves you the script over https too and then tells you there's mixed content on the site. It must be a bug or else that would be some sneaky cheating just to make their competition look bad.
    But based on the track record MS has in the browser space I'm drawn to conclude the worst :mad:

    Actually the problem isn't the image but the javascript file:
    http://ie.microsoft.com/testdrive/browser/mixedcontent/assets/HttpScriptOnAnHttpsPageIsEvil.js the problem is:
    https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/HttpScriptOnAnHttpsPageIsEvil.js works too, it's trusted because it's signed/certified.
    The script reverences to the image file over http so a browser will complain about that too
    however the image itself as I've shown is reachable over https too
    and forced https will try to fetch it over https, else it fails, if it's https you are secure...

    https can't protect you against a "compromised" webserver...

    That's security 101, and they can't even get it right on a demo website
    FAIL
     
    Last edited by a moderator: Feb 16, 2011
  11. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    They shouldn't have put the image on the https site, but I guess that's because the https and http contents are on the same server, I'd say it was unintentional, they just didn't think about "forced https".

     
  12. katio

    katio Guest

    Though I wonder what would happen if for example an EV certified site (or any for that matter) embedded content from another https domain?
    I'd expect it to get flagged the same (i.e. not show the padlock/company name) but it would be nice to verify that. I'd just need a valid cert for that...
     
Loading...
Thread Status:
Not open for further replies.