noXTRAs

Infiltrator, Thanks for the reply, but my problem/question is not the sqlinjection part, but a man in the middle attack or some way in wich a hacker could eaves drop on the connection. Rephrasing the original question: What are the ways someone can eavesdrop / change data on a SSL connection by being on-route of the packet or having the user computers infected?

The users don't register. They are all in a database already, they can't register. I'm wondering if the wifi pinnaple could intercept a SSL connection? I'm now thinkng of using a PGP like system, with a public and a private key. If the vote + encrypted data generates a valid response, the user will get back a message containing his personal details, including his membership ID. The user can check if these are correct so he knows he voted on the right server and his vote reigstered correctly. Can anyone tell me if a man in the middle (let's say from one of the ISP en-route to destination server) could intercept the message in order to decrypt it and log the user's vote?

I'm thinking of a direct connection to the server, but I don't know if that can be hijacked (and how) if the user has a virus. My main ideea would be a USB stick, that boots your computer into for a virus free internet browser, but the problem with this approach is that not all PCs/MACs boot from USB by default, problems CAN occur in the boot process and users with a smartphone can't boot from a USB stick...

Thanks for the quick reply, User registration won't be a problem mainly because they all have a membership ID. The user doesn't register, I have an entry for each member who can vote. Well, hackers are stopped 99.(9)% at the stock exchange, visa, paypal, etc. All a hacker can do is ddos the hell out of those servers. I never heard of a billion dollars stolen in fraudulent automated bot trading, or visa being hacked or paypal or the 3D secure servers (and there is a different 3D secure provider in each country)..so it's possible to 99.(9)% hackproof it. I'd like to know ways of how an attaker would go about to steal votes.

Let me elaborate my problem. I am thinking of making an online polling/voting system. I am a senior software engineer so I can secure the database and the web page from sql injections, xss, csrf and I'm also thinking of a secure system to 'anonymously' identify the user so he/she can vote once, BUT, my main problem is this: could a haker create some software to hijack the session or .... in order to steal the vote?

Isn't there a Hak5 episode covering this? :( One of the PC's COULD be infected...I was thinking about connecting to a virtual machine on the server, once the user (who can be infected) is finished the virtual machine is restarted and waits for another connection. What problems could appear in a connection like this? How would you hack it? Can you hijack a browsers SSL connection? What if the user has a phisical digital certificate (usb key)? Can you still hijack a VNC over SSH or browser SSL?

thanks for the reply whitecoder, but the ideea is to connect 2 computers in different parts of the world...The users needs to connect to a server (with graphical interface), make an action then disconnect.

Hello everyone, I'm new here, but a big fan of the show. I'm wondering if anyone knows the title of an episode (if any) about securely connecting two computers. I would like to securely connect 2 computers (one of them may be virus infected AND running any ver. of Windows or OS X) and I'm looking for the easiest way. Thanks in advance for any help.