Is data between keyboard and web browser secure from local computer applications?












14















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question















migrated from crypto.stackexchange.com 13 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.
















  • If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    27 mins ago
















14















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question















migrated from crypto.stackexchange.com 13 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.
















  • If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    27 mins ago














14












14








14


3






My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question
















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?







tls keyloggers






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 1 hour ago









Anders

48.8k22140158




48.8k22140158










asked 14 hours ago







Devil07











migrated from crypto.stackexchange.com 13 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.






migrated from crypto.stackexchange.com 13 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.















  • If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    27 mins ago



















  • If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

    – daygoor
    27 mins ago

















If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

– daygoor
27 mins ago





If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged!

– daygoor
27 mins ago










2 Answers
2






active

oldest

votes


















19














No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






share|improve this answer





















  • 5





    It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

    – z0r
    8 hours ago








  • 1





    @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

    – bashCypher
    8 hours ago








  • 3





    If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

    – mgarciaisaia
    6 hours ago






  • 1





    @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

    – Matija Nalis
    5 hours ago






  • 1





    @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

    – Will
    2 hours ago



















5














HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown
























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    19














    No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



    Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



    Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






    share|improve this answer





















    • 5





      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      8 hours ago








    • 1





      @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

      – bashCypher
      8 hours ago








    • 3





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      6 hours ago






    • 1





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      5 hours ago






    • 1





      @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

      – Will
      2 hours ago
















    19














    No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



    Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



    Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






    share|improve this answer





















    • 5





      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      8 hours ago








    • 1





      @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

      – bashCypher
      8 hours ago








    • 3





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      6 hours ago






    • 1





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      5 hours ago






    • 1





      @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

      – Will
      2 hours ago














    19












    19








    19







    No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



    Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



    Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






    share|improve this answer















    No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



    Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



    Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 8 hours ago

























    answered 12 hours ago









    bashCypherbashCypher

    1,104114




    1,104114








    • 5





      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      8 hours ago








    • 1





      @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

      – bashCypher
      8 hours ago








    • 3





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      6 hours ago






    • 1





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      5 hours ago






    • 1





      @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

      – Will
      2 hours ago














    • 5





      It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

      – z0r
      8 hours ago








    • 1





      @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

      – bashCypher
      8 hours ago








    • 3





      If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

      – mgarciaisaia
      6 hours ago






    • 1





      @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

      – Matija Nalis
      5 hours ago






    • 1





      @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

      – Will
      2 hours ago








    5




    5





    It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

    – z0r
    8 hours ago







    It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

    – z0r
    8 hours ago






    1




    1





    @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

    – bashCypher
    8 hours ago







    @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

    – bashCypher
    8 hours ago






    3




    3





    If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

    – mgarciaisaia
    6 hours ago





    If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account.

    – mgarciaisaia
    6 hours ago




    1




    1





    @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

    – Matija Nalis
    5 hours ago





    @mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc.

    – Matija Nalis
    5 hours ago




    1




    1





    @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

    – Will
    2 hours ago





    @bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM.

    – Will
    2 hours ago













    5














    HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






    share|improve this answer




























      5














      HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






      share|improve this answer


























        5












        5








        5







        HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






        share|improve this answer













        HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 8 hours ago









        MacilMacil

        1,056610




        1,056610






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            GameSpot

            日野市

            Tu-95轟炸機