Is the data between a keyboard and a web browser secure from local computer applications?

No, your data is not safe from key loggers on a local computer. There isn't much more to say here, to be fair. A key logger will grab and save any key stroke entered. The tls (https) encryption happens "after" the driver from keyboard "sends" those key strokes to the browser, "through" the key logger.

Even if encryption is being used and there isn't one many types of spyware on the computer, the connection between the computer and site might have a Man in The Middle (MiTM) device in between which tricks your computer into thinking it's using encryption when it's not.

Good question. Yes, on a public kiosk you run the risk of credential harvesting. I can not think of anything that would bypass keylogging software (VPN will fix MiTM issues). Beware.


HTTPS can't possibly fully protect your user input on an untrusted computer: The computer could have keylogger software installed. The keyboard could have firmware programmed to keylog you. There could be a hardware device between the computer and the keyboard recording keypresses. There could be screen recording software running. There could be a video camera pointed at the keyboard while you're using it. The computer might be configured to fully trust a network proxy that acts as a man-in-the-middle for all HTTP and HTTPS connections.


As covered in other answers, HTTPS only protects the transmission part of the communication, between your computer (browser) and the remote server. Anything between the user (human) and the browser is vulnerable to attackers.

Even if the keyboard is secured between the browser, a camera (outside the computer) could capture a video of you entering the password - that doesn't even remotely have anything to do with HTTPS.

Actions speak louder than words.

Long ago when I was 15, I wrote a simple key logger that is able to log almost everything. It nevertheless successfully stole a lot of passwords, including those entered into an HTTPS page.

Link: My GitHub repo of the aforementioned key logger program.

Tags:

Tls

Keyloggers

Related

As an end user, what risk is there in browsing a public website that uses TLSv1? How to connect a Raspberry Pi IDS to the home router to detect intrusions network wide? Is it worth storing email addresses as hashes? Let's Encrypt is based in the US and subject to US laws How does full disk encryption cater for overprovisoned disk space in flash devices and can this result in data leakage? Does the destruction of sensitive information limit the choice of hard drives to non-flash based devices? Why is Gbt3fC79ZmMEFUFJ a weak password? How do I monitor what a penetration tester is doing? How can SSH server know private key is incorrect if passphrase havent been provided yet? Is ssh with public key authentication, no passwords secure enough? Is there a way to make sure my government does not swap out SSL certificates? Can someone read my E-Mail if I lose ownership of my domain?

Recent Posts