Is data between keyboard and web browser secure from local computer applications?












45















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question















migrated from crypto.stackexchange.com Jan 14 at 18:58


This question came from our site for software developers, mathematicians and others interested in cryptography.











  • 3





    If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    2 days ago






  • 15





    @daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

    – vlaz
    2 days ago






  • 4





    This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

    – pabouk
    2 days ago








  • 1





    @pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

    – vlaz
    2 days ago






  • 1





    @frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

    – vlaz
    2 days ago
















45















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question















migrated from crypto.stackexchange.com Jan 14 at 18:58


This question came from our site for software developers, mathematicians and others interested in cryptography.











  • 3





    If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    2 days ago






  • 15





    @daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

    – vlaz
    2 days ago






  • 4





    This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

    – pabouk
    2 days ago








  • 1





    @pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

    – vlaz
    2 days ago






  • 1





    @frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

    – vlaz
    2 days ago














45












45








45


9






My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question
















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?







tls keyloggers






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









Anders

48.9k22140159




48.9k22140159










asked Jan 14 at 18:33









Devil07Devil07

33224




33224




migrated from crypto.stackexchange.com Jan 14 at 18:58


This question came from our site for software developers, mathematicians and others interested in cryptography.






migrated from crypto.stackexchange.com Jan 14 at 18:58


This question came from our site for software developers, mathematicians and others interested in cryptography.










  • 3





    If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    2 days ago






  • 15





    @daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

    – vlaz
    2 days ago






  • 4





    This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

    – pabouk
    2 days ago








  • 1





    @pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

    – vlaz
    2 days ago






  • 1





    @frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

    – vlaz
    2 days ago














  • 3





    If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    2 days ago






  • 15





    @daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

    – vlaz
    2 days ago






  • 4





    This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

    – pabouk
    2 days ago








  • 1





    @pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

    – vlaz
    2 days ago






  • 1





    @frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

    – vlaz
    2 days ago








3




3





If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

– daygoor
2 days ago





If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

– daygoor
2 days ago




15




15





@daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

– vlaz
2 days ago





@daygoor even if the clipboard isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see highlight "h" -> Ctrl+C -> highlight "u" -> Ctrl+C -> highlight "n" -> Ctrl+C -> highlight "t" -> Ctrl+C -> highlight "e" -> Ctrl+C -> highlight "r" -> Ctrl+C -> highlight "2" -> Ctrl+C or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that.

– vlaz
2 days ago




4




4





This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

– pabouk
2 days ago







This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access.

– pabouk
2 days ago






1




1





@pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

– vlaz
2 days ago





@pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated.

– vlaz
2 days ago




1




1





@frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

– vlaz
2 days ago





@frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be anybody who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted.

– vlaz
2 days ago










6 Answers
6






active

oldest

votes


















84














No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






share|improve this answer





















  • 53





    It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

    – z0r
    Jan 14 at 23:44








  • 10





    Multi-factor authentication is the mitigation for that, isn't it?

    – mgarciaisaia
    Jan 15 at 1:01






  • 15





    If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

    – mgarciaisaia
    Jan 15 at 1:58






  • 10





    @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

    – Matija Nalis
    Jan 15 at 2:46






  • 5





    @nardnob: One word: hardware keylogger (ok, two words).

    – sleske
    2 days ago



















23














HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






share|improve this answer



















  • 6





    …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

    – Bergi
    2 days ago



















2














As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.



Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.





Actions speak louder than words.



Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.



Link: My GitHub repo of the aforementioned key logger program.






share|improve this answer


























  • does community OK sharing such software here?

    – aaaaaa
    yesterday











  • @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

    – iBug
    yesterday



















1














Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.






share|improve this answer








New contributor




Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 3





    This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

    – Chenmunka
    yesterday











  • @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

    – Devil07
    yesterday






  • 2





    Not necessarily effective.

    – AndrolGenhald
    yesterday



















0














Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).



Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.



But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.



On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.



Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.



Password-only auth is not safe on public computers.






share|improve this answer

































    0














    Some antimalware solutions have a feature ptotecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if a malware manages to execute own code in kernel mode, AV driver cannot protect the stuff, everything in kernel mode is equally privileged.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      6 Answers
      6






      active

      oldest

      votes








      6 Answers
      6






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      84














      No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



      Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



      Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






      share|improve this answer





















      • 53





        It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

        – z0r
        Jan 14 at 23:44








      • 10





        Multi-factor authentication is the mitigation for that, isn't it?

        – mgarciaisaia
        Jan 15 at 1:01






      • 15





        If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

        – mgarciaisaia
        Jan 15 at 1:58






      • 10





        @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

        – Matija Nalis
        Jan 15 at 2:46






      • 5





        @nardnob: One word: hardware keylogger (ok, two words).

        – sleske
        2 days ago
















      84














      No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



      Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



      Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






      share|improve this answer





















      • 53





        It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

        – z0r
        Jan 14 at 23:44








      • 10





        Multi-factor authentication is the mitigation for that, isn't it?

        – mgarciaisaia
        Jan 15 at 1:01






      • 15





        If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

        – mgarciaisaia
        Jan 15 at 1:58






      • 10





        @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

        – Matija Nalis
        Jan 15 at 2:46






      • 5





        @nardnob: One word: hardware keylogger (ok, two words).

        – sleske
        2 days ago














      84












      84








      84







      No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



      Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



      Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






      share|improve this answer















      No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



      Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



      Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Jan 14 at 23:50

























      answered Jan 14 at 19:45









      bashCypherbashCypher

      1,445215




      1,445215








      • 53





        It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

        – z0r
        Jan 14 at 23:44








      • 10





        Multi-factor authentication is the mitigation for that, isn't it?

        – mgarciaisaia
        Jan 15 at 1:01






      • 15





        If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

        – mgarciaisaia
        Jan 15 at 1:58






      • 10





        @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

        – Matija Nalis
        Jan 15 at 2:46






      • 5





        @nardnob: One word: hardware keylogger (ok, two words).

        – sleske
        2 days ago














      • 53





        It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

        – z0r
        Jan 14 at 23:44








      • 10





        Multi-factor authentication is the mitigation for that, isn't it?

        – mgarciaisaia
        Jan 15 at 1:01






      • 15





        If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

        – mgarciaisaia
        Jan 15 at 1:58






      • 10





        @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

        – Matija Nalis
        Jan 15 at 2:46






      • 5





        @nardnob: One word: hardware keylogger (ok, two words).

        – sleske
        2 days ago








      53




      53





      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      Jan 14 at 23:44







      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      Jan 14 at 23:44






      10




      10





      Multi-factor authentication is the mitigation for that, isn't it?

      – mgarciaisaia
      Jan 15 at 1:01





      Multi-factor authentication is the mitigation for that, isn't it?

      – mgarciaisaia
      Jan 15 at 1:01




      15




      15





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      Jan 15 at 1:58





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      Jan 15 at 1:58




      10




      10





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      Jan 15 at 2:46





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      Jan 15 at 2:46




      5




      5





      @nardnob: One word: hardware keylogger (ok, two words).

      – sleske
      2 days ago





      @nardnob: One word: hardware keylogger (ok, two words).

      – sleske
      2 days ago













      23














      HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






      share|improve this answer



















      • 6





        …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

        – Bergi
        2 days ago
















      23














      HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






      share|improve this answer



















      • 6





        …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

        – Bergi
        2 days ago














      23












      23








      23







      HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






      share|improve this answer













      HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jan 15 at 0:13









      MacilMacil

      1,236611




      1,236611








      • 6





        …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

        – Bergi
        2 days ago














      • 6





        …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

        – Bergi
        2 days ago








      6




      6





      …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

      – Bergi
      2 days ago





      …the computer might be running a software that looks like a browser with a website to you but doesn't even access any network.

      – Bergi
      2 days ago











      2














      As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.



      Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.





      Actions speak louder than words.



      Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.



      Link: My GitHub repo of the aforementioned key logger program.






      share|improve this answer


























      • does community OK sharing such software here?

        – aaaaaa
        yesterday











      • @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

        – iBug
        yesterday
















      2














      As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.



      Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.





      Actions speak louder than words.



      Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.



      Link: My GitHub repo of the aforementioned key logger program.






      share|improve this answer


























      • does community OK sharing such software here?

        – aaaaaa
        yesterday











      • @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

        – iBug
        yesterday














      2












      2








      2







      As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.



      Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.





      Actions speak louder than words.



      Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.



      Link: My GitHub repo of the aforementioned key logger program.






      share|improve this answer















      As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.



      Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.





      Actions speak louder than words.



      Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.



      Link: My GitHub repo of the aforementioned key logger program.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited yesterday









      Tom

      5,253731




      5,253731










      answered 2 days ago









      iBugiBug

      57828




      57828













      • does community OK sharing such software here?

        – aaaaaa
        yesterday











      • @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

        – iBug
        yesterday



















      • does community OK sharing such software here?

        – aaaaaa
        yesterday











      • @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

        – iBug
        yesterday

















      does community OK sharing such software here?

      – aaaaaa
      yesterday





      does community OK sharing such software here?

      – aaaaaa
      yesterday













      @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

      – iBug
      yesterday





      @aaaaaa I think it's OK. I disclosed my affiliation with the link explicitly in the answer so this is no thing spammy.

      – iBug
      yesterday











      1














      Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.






      share|improve this answer








      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 3





        This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

        – Chenmunka
        yesterday











      • @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

        – Devil07
        yesterday






      • 2





        Not necessarily effective.

        – AndrolGenhald
        yesterday
















      1














      Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.






      share|improve this answer








      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.
















      • 3





        This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

        – Chenmunka
        yesterday











      • @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

        – Devil07
        yesterday






      • 2





        Not necessarily effective.

        – AndrolGenhald
        yesterday














      1












      1








      1







      Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.






      share|improve this answer








      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.










      Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.







      share|improve this answer








      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this answer



      share|improve this answer






      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      answered yesterday









      Daniel777Daniel777

      1112




      1112




      New contributor




      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Daniel777 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.








      • 3





        This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

        – Chenmunka
        yesterday











      • @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

        – Devil07
        yesterday






      • 2





        Not necessarily effective.

        – AndrolGenhald
        yesterday














      • 3





        This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

        – Chenmunka
        yesterday











      • @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

        – Devil07
        yesterday






      • 2





        Not necessarily effective.

        – AndrolGenhald
        yesterday








      3




      3





      This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

      – Chenmunka
      yesterday





      This doesn't answer the question. The user is entering a password into a webpage over which they have no control.

      – Chenmunka
      yesterday













      @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

      – Devil07
      yesterday





      @Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it.

      – Devil07
      yesterday




      2




      2





      Not necessarily effective.

      – AndrolGenhald
      yesterday





      Not necessarily effective.

      – AndrolGenhald
      yesterday











      0














      Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).



      Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.



      But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.



      On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.



      Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.



      Password-only auth is not safe on public computers.






      share|improve this answer






























        0














        Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).



        Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.



        But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.



        On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.



        Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.



        Password-only auth is not safe on public computers.






        share|improve this answer




























          0












          0








          0







          Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).



          Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.



          But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.



          On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.



          Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.



          Password-only auth is not safe on public computers.






          share|improve this answer















          Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).



          Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.



          But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.



          On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.



          Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.



          Password-only auth is not safe on public computers.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday









          Tom

          5,253731




          5,253731










          answered 2 days ago









          user996142user996142

          26116




          26116























              0














              Some antimalware solutions have a feature ptotecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if a malware manages to execute own code in kernel mode, AV driver cannot protect the stuff, everything in kernel mode is equally privileged.






              share|improve this answer




























                0














                Some antimalware solutions have a feature ptotecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if a malware manages to execute own code in kernel mode, AV driver cannot protect the stuff, everything in kernel mode is equally privileged.






                share|improve this answer


























                  0












                  0








                  0







                  Some antimalware solutions have a feature ptotecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if a malware manages to execute own code in kernel mode, AV driver cannot protect the stuff, everything in kernel mode is equally privileged.






                  share|improve this answer













                  Some antimalware solutions have a feature ptotecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if a malware manages to execute own code in kernel mode, AV driver cannot protect the stuff, everything in kernel mode is equally privileged.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered yesterday









                  KOLANICHKOLANICH

                  404412




                  404412






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      1300-talet

                      1300-talet

                      Display a custom attribute below product name in the front-end Magento 1.9.3.8