Is data between keyboard and web browser secure from local computer applications?












6















My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










share|improve this question













migrated from crypto.stackexchange.com 6 hours ago


This question came from our site for software developers, mathematicians and others interested in cryptography.




















    6















    My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



    For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



    My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










    share|improve this question













    migrated from crypto.stackexchange.com 6 hours ago


    This question came from our site for software developers, mathematicians and others interested in cryptography.


















      6












      6








      6








      My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



      For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



      My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?










      share|improve this question














      My question is about the text that I type on a keyboard while in a web browser. I understand that if the website has HTTPS the connection from my browser to the website is secure/encrypted, but what about the text that I type on the keyboard on the local computer?



      For example, at an internet cafe, if you open a Chrome window and go to a secure site (HTTPS) is the text that you type on the keyboard secure from the keyboard to the browser? Can key logging software on the local computer access the text?



      My concern is logging into my email account (or any other private account) on a public computer, can the password that I type be intercepted? If so, is there any way for a user of a public computer ensure the privacy of their password in this scenario?







      tls






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 6 hours ago







      Devil07











      migrated from crypto.stackexchange.com 6 hours ago


      This question came from our site for software developers, mathematicians and others interested in cryptography.






      migrated from crypto.stackexchange.com 6 hours ago


      This question came from our site for software developers, mathematicians and others interested in cryptography.
























          2 Answers
          2






          active

          oldest

          votes


















          10














          No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



          Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



          Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






          share|improve this answer





















          • 1





            It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

            – z0r
            1 hour ago








          • 1





            @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

            – bashCypher
            1 hour ago













          • Multi-factor authentication is the mitigation for that, isn't it?

            – mgarciaisaia
            5 mins ago











          • @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

            – bashCypher
            2 mins ago



















          0














          HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "162"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown
























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            10














            No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



            Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



            Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






            share|improve this answer





















            • 1





              It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

              – z0r
              1 hour ago








            • 1





              @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

              – bashCypher
              1 hour ago













            • Multi-factor authentication is the mitigation for that, isn't it?

              – mgarciaisaia
              5 mins ago











            • @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

              – bashCypher
              2 mins ago
















            10














            No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



            Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



            Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






            share|improve this answer





















            • 1





              It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

              – z0r
              1 hour ago








            • 1





              @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

              – bashCypher
              1 hour ago













            • Multi-factor authentication is the mitigation for that, isn't it?

              – mgarciaisaia
              5 mins ago











            • @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

              – bashCypher
              2 mins ago














            10












            10








            10







            No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



            Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



            Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.






            share|improve this answer















            No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.



            Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.



            Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 1 hour ago

























            answered 5 hours ago









            bashCypherbashCypher

            994114




            994114








            • 1





              It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

              – z0r
              1 hour ago








            • 1





              @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

              – bashCypher
              1 hour ago













            • Multi-factor authentication is the mitigation for that, isn't it?

              – mgarciaisaia
              5 mins ago











            • @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

              – bashCypher
              2 mins ago














            • 1





              It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

              – z0r
              1 hour ago








            • 1





              @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

              – bashCypher
              1 hour ago













            • Multi-factor authentication is the mitigation for that, isn't it?

              – mgarciaisaia
              5 mins ago











            • @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

              – bashCypher
              2 mins ago








            1




            1





            It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

            – z0r
            1 hour ago







            It's worse than that: on any computer that you don't control, the CA certificates used to verify the identities of the servers may have been compromised. So you might not be talking to the web site you think you are - even if you're using HTTPS. Don't trust public computers.

            – z0r
            1 hour ago






            1




            1





            @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

            – bashCypher
            1 hour ago







            @z0r MITM using TLS stripping is a concern across the entire world. Always be careful in public, right? MITM is a little different than your describing, but you're point is valid and I didn't discuss the "interception" part. I'll update.

            – bashCypher
            1 hour ago















            Multi-factor authentication is the mitigation for that, isn't it?

            – mgarciaisaia
            5 mins ago





            Multi-factor authentication is the mitigation for that, isn't it?

            – mgarciaisaia
            5 mins ago













            @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

            – bashCypher
            2 mins ago





            @mgarciaisaia on a public kiosk? I guess we could talk about the kiosk being secured and the app security on it... but I think the point is we can't trust the kiosk. So the question is:can you use the web browser securely, if not, is there anything you can do? In that case I don't think "set up multifactor with the kiosk owners and have that apply to all the apps to avoid un-registered applications (key logger)" is reasonable? Is that fair?

            – bashCypher
            2 mins ago













            0














            HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






            share|improve this answer




























              0














              HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






              share|improve this answer


























                0












                0








                0







                HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.






                share|improve this answer













                HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 54 mins ago









                MacilMacil

                1,006610




                1,006610






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f201449%2fis-data-between-keyboard-and-web-browser-secure-from-local-computer-applications%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Magento 2 controller redirect on button click in phtml file

                    Polycentropodidae