>> >> > However, this won't do away with XSS, or other similar attack vectors >> >> > if >> >> > the users are not careful with their browsing habits. >> >> >> >> Can you give me an example? >> > >> > If your coder has another website page open in his/her browser which >> > contains for example XSS or CSRF code, then the webpage of your company's >> > web app could be potentially compromised by your user inadvertently >> > executing state changing commands on it. By providing a XSS payload the >> > attacker could execute commands to change username/passwd, change email >> > address, etc. This is one reason that Internet Banking providers always >> > advise their users to log out and then exit their browser when they have >> > finished their online banking. > >> The other obvious attack would be simply stealing your session cookies >> or SSL client certificate+key out of the browser's RAM, or off of >> disk. > > Yes, session hi/sidejacking is possible, as well as obtaining sensitive > information that the browser has happened to cache. High value information > like credit card details should have a no-cache, no-store, Expires:0, but I > bet there are some websites out there which do not guard against this threat. > I would have thought SSL certificates/keys would be protected in RAM, but if > you have a Man-In-The-Browser attack I guess they wouldn't be. > > If you are using a VPN connection as a split-tunnel then although your > connection to the LAN would be secure, browser credentials could still be > stolen by browser sessions connecting to suspect websites outside the tunnel. > It has to be a full VPN tunnel with forwarding Internet access blocked at the > VPN gateway, for clients to mitigate this threat.
So the user is safe if I send all internet requests from her remote laptop through the Zerotier connection (instead of only sending requests to my server through Zerotier)? - Grant
