Lada 'Ray' Lostak wrote: > > I need to protect HTML thin client of busines system. It needs to be > accessed from untrustworthy terminals - such as hotels, customers, etc. > Because of this, I need something, what doesn't store ANYTHING on terminal > or require INSTALATION. We have to assume that keyboard is logged, > connection sniffed. The result of authentication (I hope I spelled well :o) > is enabling access to bysines system (separate domain). You say you need a secure auth and communication method on totally untrustworthy clients. Now is that possible ? If they could log keypresses, they would be able to fake them as well, and have your business app do whatever they want in the name of the logged in user, once auth is passed. Using an authentication method involving some hw (calculator you mentioned) on the user's part (with all the inconvenience..) you might prevent an attacker from stealing auth info, but compromised terminals are still a threat for already logged in users. It's like connection hijacking (the attacker does not need auth info) but instead of the network layer, it happens somewhere between the keyboard and the browser. (Or inside the browser, or whatever the compromised terminals might come up with..) .SiCk of IT.
This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 14:16:45 PDT