The Juniper VPN SSL solution (Secure Access) is undoubtedly the most advanced of the market today, and I’ve always been satisfied with it. However, a few days ago, one of my customers show me his VPN SSL, for which he enabled the “virtual keyboard“.
I’ve never been really convinced about the security level added by virtual keyboards. Even if it prevents key loggers from capturing sensitive credentials, it is more easy for someone to see the code clicked with a mouse than with a keyboard. And more important, if a malicious software is able to intercept keystrokes, he can take screen-shot when the user is clicking, or sniff the password inside the browser before it is sent to the server (for the worst virtual keyboards ones).

In this case, the Javascript based virtual keyboard just enters the values in the password input form, which is read-only.

So, I’ve wrote a simple Greasemonkey script that modifies the Juniper web pages and allows to enter directly the password in the form instead of using this annoying keyboard: JuniperVpnSslRemoveVirtualKeyboard.



And some other virtual keyboard available on the Internet suffer from similar problem, even some on-line bank web sites use such javascript based keyboards that just enter the password on the form (modification required to the web page is minor, and nothing to do on the server).
If you choose to rely on a virtual keyboard, in order to be a minimum efficient in term of security, keep in mind that the keyboard image must be generated dynamically and the keys clicked by the mouse must not be translated to the password’s characters at the browser level, but at the server level.

August 15, 2010, 1:18 am lock

Add your own comment or set a trackback

Currently no comments

  1. No comment yet

Add your own comment

To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image

Follow comments according to this article through a RSS 2.0 feed