| 1 |
>> >> > However, this won't do away with XSS, or other similar attack vectors |
| 2 |
>> >> > if |
| 3 |
>> >> > the users are not careful with their browsing habits. |
| 4 |
>> >> |
| 5 |
>> >> Can you give me an example? |
| 6 |
>> > |
| 7 |
>> > If your coder has another website page open in his/her browser which |
| 8 |
>> > contains for example XSS or CSRF code, then the webpage of your company's |
| 9 |
>> > web app could be potentially compromised by your user inadvertently |
| 10 |
>> > executing state changing commands on it. By providing a XSS payload the |
| 11 |
>> > attacker could execute commands to change username/passwd, change email |
| 12 |
>> > address, etc. This is one reason that Internet Banking providers always |
| 13 |
>> > advise their users to log out and then exit their browser when they have |
| 14 |
>> > finished their online banking. |
| 15 |
> |
| 16 |
>> The other obvious attack would be simply stealing your session cookies |
| 17 |
>> or SSL client certificate+key out of the browser's RAM, or off of |
| 18 |
>> disk. |
| 19 |
> |
| 20 |
> Yes, session hi/sidejacking is possible, as well as obtaining sensitive |
| 21 |
> information that the browser has happened to cache. High value information |
| 22 |
> like credit card details should have a no-cache, no-store, Expires:0, but I |
| 23 |
> bet there are some websites out there which do not guard against this threat. |
| 24 |
> I would have thought SSL certificates/keys would be protected in RAM, but if |
| 25 |
> you have a Man-In-The-Browser attack I guess they wouldn't be. |
| 26 |
> |
| 27 |
> If you are using a VPN connection as a split-tunnel then although your |
| 28 |
> connection to the LAN would be secure, browser credentials could still be |
| 29 |
> stolen by browser sessions connecting to suspect websites outside the tunnel. |
| 30 |
> It has to be a full VPN tunnel with forwarding Internet access blocked at the |
| 31 |
> VPN gateway, for clients to mitigate this threat. |
| 32 |
|
| 33 |
|
| 34 |
So the user is safe if I send all internet requests from her remote |
| 35 |
laptop through the Zerotier connection (instead of only sending |
| 36 |
requests to my server through Zerotier)? |
| 37 |
|
| 38 |
- Grant |
Archives