With the ever increasing use of the Internet to transfer information, companies are becoming increasingly dependent on the Internet to practice their business. Web-based transactions have become a primary way of providing access to confidential information. In all situations there is an interest in assuring that the information is received solely by the intended recipient(s) and not diverted to undesired recipients. In the case of business information, there can be substantial sensitivity to unauthorized receipt of the information. In order for businesses to be able to transact their business in confidence that confidential information is not being disseminated beyond the intended recipient, it is necessary that there be provided security measures that prevent others from receiving the information. Also, for individuals, there is their concern that passwords, personal and transactional information be maintained in confidence with the various businesses with which they communicate.
Excellent encryption technologies exist for the purpose of securing private transactions over the public Internet, most notably, Secure Sockets Layer (SSL) Protocol. Common applications include web-based secure transaction processing, such as banking, electronic bill-payment, travel planning, and shopping, to name but a few. In all of these applications, an encrypted channel is established between a web-browser running on a personal computer, and a secure service running at the vendor's data center. The negotiation, establishment, and use of the channel are all automatic and seamless—the only visible token is usually a small padlock icon that appears discreetly on the border of the browser window when the communications link is secure. When the padlock is visible, the web shopper can be sure that a) her network transactions are transmitted and received securely, and that b) they are being exchanged with a trusted agent.
The SSL protocol, built in to all modern web browsers, establishes a protected channel between a personal computer and a server, and automatically and reliably detects a “man-in-the-middle” (MIM) attack. In other words, the protocol can definitively declare that transactions are being received directly by the intended recipient, and not being relayed or modified in transit. But the SSL protocol cannot prevent an intermediary agent from intercepting and relaying those transactions. Of course, any such breach is detected immediately, and results in a strongly-worded warning message from the web browser, along with a recommended option to abort the session.
None of presently available technology addresses a very obvious weak link. Knowing how effective the secured channel is against subversion, the smart intruder does not bother attempting to snoop on the channel. Rather, he eavesdrops on the session at a point before the transaction data are encrypted, by logging all keystrokes typed by the web shopper, using a so called spyware program. No matter how strong the encryption between the web browser and the remote secure server, confidential data entered via a keyboard will always be vulnerable to these keystroke logging programs. And they are ubiquitous: an Internet search for “spyware” yields about 71 million hits, split between programs that log keystrokes and those that purport to detect and remove spyware.
There is, therefore, a need for methods and devices that thwart keystroke logging programs by extending a secured link to the keyboard itself.
As used herein, a proxy server is a network element that performs computing tasks on behalf of a client(s), often a remote secure server, for example, a voice-over-IP media relay or Proxy node server. Other proxy servers are also available commercially. See, for example, U.S. Pat. Nos. 6,981,056 and 6,986,018, which are incorporated herein by reference regarding proxy servers.