The Juniper VPN SSL solution (Secure Access) is undoubtedly the most advanced of the market today, and I’ve always been satisfied with it. However, a few days ago, one of my customers show me his VPN SSL, for which he enabled the “virtual keyboard“.
I’ve never been really convinced about the security level added by virtual keyboards. Even if it prevents key loggers from capturing sensitive credentials, it is more easy for someone to see the code clicked with a mouse than with a keyboard. And more important, if a malicious software is able to intercept keystrokes, he can take screen-shot when the user is clicking, or sniff the password inside the browser before it is sent to the server (for the worst virtual keyboards ones).
So, I’ve wrote a simple Greasemonkey script that modifies the Juniper web pages and allows to enter directly the password in the form instead of using this annoying keyboard: JuniperVpnSslRemoveVirtualKeyboard.
If you choose to rely on a virtual keyboard, in order to be a minimum efficient in term of security, keep in mind that the keyboard image must be generated dynamically and the keys clicked by the mouse must not be translated to the password’s characters at the browser level, but at the server level.