Is the data between a keyboard and a web browser secure from local computer applications?

Question

My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?

For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?

My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer to ensure the privacy of their password in this scenario?

If you are too concerned about key logging then open up any Wikipedia page, then copy and paste all characters you need to login ... but again maybe the clipboard is also logged! — daygoor, Jan 15 '19 at 08:12
@daygoor even if the *clipboard* isn't logged, I'd expect a keylogger on the machine itself to be able to say that you've highlighted and most likely also copied the individual characters. So in a log you might see `highlight "h"` -> `Ctrl+C` -> `highlight "u"` -> `Ctrl+C` -> `highlight "n"` -> `Ctrl+C` -> `highlight "t"` -> `Ctrl+C` -> `highlight "e"` -> `Ctrl+C` -> `highlight "r"` -> `Ctrl+C` -> `highlight "2"` -> `Ctrl+C` or something sufficiently similar to this. Even if you right-click -> copy, I'd assume a keylogger would note that. — VLAZ, Jan 15 '19 at 09:14
This strongly depends on the operating system being used - specifically how well it isolates individual applications (from each other and the shared components like keyboard) and how well it helps to apply correct access rights. --- Still even if the OS perfectly isolates the applications there are possible vulnerabilities or misconfigurations allowing unauthorized access. — pabouk - Ukraine stay strong, Jan 15 '19 at 10:18
@pabouk that's a lot of variables that you can hardly account for. Sure, you can't even prove or disprove (easily) the existence, sophistication, and mode of operation of a keylogger however if untrusted, a foreign machine should be assumed absolutely compromised. This cuts down on the assumptions and possibilities you have to consider when deciding how to handle it. With this setup in mind, copy/pasting characters from a document is not safe the least and this misconception should not be perpetuated. — VLAZ, Jan 15 '19 at 12:09
Well, [this xkcd](https://xkcd.com/538/) is particularly suited for this case I think... — frarugi87, Jan 15 '19 at 13:00
@frarugi87 I disagree for this instance. There can be a lot of data harvesting that is totally viable to gather from a public PC. A Facebook password is very likely to be caught which...may have some value, or not. But more importantly, an attacker might be able to gather stuff like payment details. And the attacker need not be the owner of the public computer - it might be *anybody* who had access to it and decided to use it to harvest data. Public PCs don't tend to have a 4096 but RSA encryption. It might even be infected over the Internet without it being specifically targeted. — VLAZ, Jan 15 '19 at 13:09
@vlaz Yes, I was a bit quick in the comment, and so skipped a lot of details on "why" I thought it was fit for this. My comment was about the "escalation" of measures listed here. from a basic keylogger which captures the keys you write to one that tracks down all your activity and correlates it to extract the password you entered as a mixture of copy-paste, mouse movements and direct typing. This is technically possible, just like trying to hack the PC in the xkcd comic, but in my personal opinion nobody would waste time to gather just a couple of passwords more (for the "Nigerian's [...] — frarugi87, Jan 15 '19 at 14:17
[...] prince scam's same reasons). In any case, in my opinion the complexity of a keylogger in a public pc is not relevant. I consider any data I exchange on a public terminal as public, and so any time I want to access a service I don't want to be compromised I use only private terminals on private networks — frarugi87, Jan 15 '19 at 14:21
@frarugi87 is that a sophisticated keylogger? I admit, I've only played around with one that I installed on my machine to see what it did. It my my first and last and it logged that kind of information, including which window you've clicked in when pressing any key and even the actual field or button you're interacting with. So, you'd know if you switched between Firefox tab with Wikipedia and then typing in the password field of a banking app. It could send that information through email or just dump it. That was 15 years ago - I doubt keyloggers have gotten less sophisticated since then. — VLAZ, Jan 15 '19 at 14:36
no, not unless you have a AVP that detects the common signatures of ways to capture keyboard input. End of question — MichaelEvanchik, Jan 15 '19 at 20:01
My take-away is that MFA can protect my personal accounts, but there is nothing I can do on a public untrusted computer to ensure that my username/password isn't captured. Additionally, all of the information displayed in the HTTPS browser window on the untrusted computer can also be captured/recorded by the local computer. — Devil07, Jan 16 '19 at 15:19
If you are concerned about security, don't use an internet cafe. You best bet is to get a wireless plan and use it. Everything electronic generates electromagnetic radiation. There are folks around with the right equipment that can detect the electric signals from pressing different keys. You have to determine how valuable is your data and protect for what it is worth. — historystamp, Jan 16 '19 at 19:19
@Devil07 : Always remember: if you're on an untrusted device, you can't even trust that the software you think you're using is actually the software you're using. How can you guarantee that when you open "chrome" you aren't actually opening my modified binary of Chrome that doesn't do any certificate checking and running a MITM attack on every client? Short answer is that you can't, because everything on the device could be compromised. — Delioth, Jan 16 '19 at 21:37
Best summary of all of this - The two most important layers of security are who has physical access to the device, and who has administrative access to the device. If the answer to either of those includes someone you don't trust, you can consider all use of the device potentially compromised. — Iron Gremlin, Jan 17 '19 at 01:40

bashCypher · Accepted Answer · 2019-01-14T23:50:05.770

86

No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.

Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.

Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.

edited Jan 14 '19 at 23:50

answered Jan 14 '19 at 19:45

bashCypher

1,839
11
21

53

It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers. – z0r Jan 14 '19 at 23:44
2

@z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update. – bashCypher Jan 14 '19 at 23:47
10

Multi-factor authentication is the mitigation for that, isn't it? – mgarciaisaia Jan 15 '19 at 01:01
@mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair? – bashCypher Jan 15 '19 at 01:04
15

If you use a 3rd-party computer to log into your e-mail, the ultimate line of defense against someone else loging into your account is using MFA. Even if they key-log your MFA token, it should be useless for them to access your account. – mgarciaisaia Jan 15 '19 at 01:58
1

Your password gets compromised, yes - but your account doesn't. – mgarciaisaia Jan 15 '19 at 01:58
Some services (example: WeChat) offer authentication methods precisely for this use case. When you attempt to access the service on a public terminal, it displays a QR code. You scan the code with your phone (which presumably is using trusted connection) and the authentication path happens though your phone. Once you verify (using your phone) that you want the session to be granted access, the public terminal session gets a notification and you can access your account there. A malicious terminal could read all your messages, but at least it doesn't compromise your account. – GrandOpener Jan 15 '19 at 02:00
10

@mgarciaisaia it depends on the nature of compromise. If it was simple keylogger, than yes, you might be protected by 2FA (although some of them allow fall back to less secure settings!). However, if the malware on public kiosk is little smarter, it could do a lot of damage. For example, when you click "logout" it might show you fake screen saying you are logged out, while in reality it did not log you out and is in the background doing stuff in your account, like setting up forwarding of all emails somewhere, changing recovery settings etc. – Matija Nalis Jan 15 '19 at 02:46
3

@bashCypher TLS stripping is only a tangent (and prevented on many major sites with HSTS). The real issue with using someone's else browser, is that they can have it configured to accept their own custom Certificate Authority, issuing its own certs for seamless TLS MITM. – Will Jan 15 '19 at 06:35
1

@mgarciaisaia: Even MFA provides only very limited protection. It prevents others from re-using your credentials, but they still control the session you opened - so while they cannot login as you onto your online banking, they can drain your account while you're online. The only meaningful protection I know of on an untrusted computer is off-line _transaction_ authorization, as provided by e.g. off-line smart TAN generators, which let you see and confirm each transaction. – sleske Jan 15 '19 at 07:51
3

@Will: Just to nitpick - HSTS does not work if the browser is untrusted, because the browser needs to enforce it. If you can manipulate the certificate list, you can also patch the browser to ignore HSTS (or just log all HTTPS traffic) :-) . Of course this boils down to: Untrusted is untrusted. – sleske Jan 15 '19 at 07:53
1

@sleske Doesn't need to be off-line, any secondary communication channel for transcation (or any edit really) authorization will do. SMS - the most typically used one - will do that just as well as an offline TAN generator (although the latter does have other strong security advantages). – David Mulder Jan 15 '19 at 15:14
You coooouuulld restart the PC and boot from a thumb drive... lol – nardnob Jan 15 '19 at 21:19
5

@nardnob: One word: hardware keylogger (ok, two words). – sleske Jan 15 '19 at 21:22
3

@sleske Okay I have a solution, but it's going to require a screwdriver and a replacement motherboard – nardnob Jan 15 '19 at 21:24
@MatijaNalis Not really. Obviously after logging into an untrusted system you should check the active sessions from a trusted device which means even if they do that their session wont last long... Changing recovery settings etc should not be possible without having to redo the 2FA step with a different token (if that's not the case it is designed incorrectly). – Giacomo Alzetta Jan 16 '19 at 08:10
@GiacomoAlzetta by the time you get to trusted device (could be weeks if you are traveling - if you don't have a trusted device for only a few minutes or even hours, you could very well waited and not used the vulnerable public device in the first place!) attacker might have used that account to compromise your other accounts, get sensitive data, impersonate you etc. Also even the big players (like google, paypal, ebay, ...) do not require different 2FA for changing 2FA settings, and using the same 2FA is vulnerable for many attacks - saying it's "designed incorrectly" isn't helping really – Matija Nalis Jan 16 '19 at 21:30

score 24 · Answer 2 · answered Jan 15 '19 at 00:13

HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.

…the computer might be running a software that looks like a browser with a website to you but doesn't even access any network. — Bergi, Jan 15 '19 at 12:54

score 2 · Answer 3 · edited Jan 16 '19 at 13:05

As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.

Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.

Actions speak louder than words.

Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.

Link: My GitHub repo of the aforementioned key logger program.

score 1 · Answer 4 · answered Jan 16 '19 at 15:04

1

Workaround: to bypass keylogging software, you can draw a keyboard on screen and ask the user to click the keys on that keyboard using a mouse or trackball (that data would be very hard to log). Of course, this could be tiring for the users, so you might want to use this only to type passwords or small texts.

answered Jan 16 '19 at 15:04

Daniel777

111
2

3

This doesn't answer the question. The user is entering a password into a webpage over which they have no control. – Chenmunka Jan 16 '19 at 15:08
@Daniel777 I actually used to have a bank account that had a password and a PIN that was entered by using the mouse to click on the numbers on a drawn number pad. It seemed to be a good way to secure access, but I think people didn't like that so they removed it. – Devil07 Jan 16 '19 at 15:13
2

[Not necessarily effective](https://security.stackexchange.com/a/172136). – AndrolGenhald Jan 16 '19 at 15:17

score 0 · Answer 5 · edited Jan 16 '19 at 13:05

Everything you type on keyboard is processed by some software which is part of your operation system. It could be kernel itself, it's modules or drivers. This software decodes your keystrokes and delivers them to application (browser in this case).

Many operation systems provide API to "inject" some third party software to this process. Of course, modern OS does not allow everyone to do that: you must have appropriate rights, or it will not allow you to read keys clicked by other user working on same machine.

But if someone with sufficient rights installed such software, it may have access to your keys. Even worse: if OS has bug, hacker may "workaround" this check and install such software. One example of it is keylogger: it literally logs all keystrokes.

On public computer, you can't be sure there is no keylogger installed because you are not the one who installed this OS, your account does not have admin rights, so you can't even check what is running on this computer.

Use two phase auth: with it server will send you text message with code, so you could only access your email if your have access to your mobile phone.

Password-only auth is not safe on public computers.

score 0 · Answer 6 · edited Jan 18 '19 at 14:44

0

Some antimalware solutions have a feature protecting keyboard input with a kernel mode driver, but don't think it is unbreakable: if malware manages to execute its own code in kernel mode, the AV driver cannot protect the stuff, everything in kernel mode is equally privileged.

edited Jan 18 '19 at 14:44

schroeder

123,438
55
284
319

answered Jan 16 '19 at 20:55

KOLANICH

892
6
14

Is the data between a keyboard and a web browser secure from local computer applications?

6 Answers6