From kde-core-devel Thu Sep 04 11:16:46 2003 From: Martijn Klingens Date: Thu, 04 Sep 2003 11:16:46 +0000 To: kde-core-devel Subject: Re: KWallet integration X-MARC-Message: https://marc.info/?l=kde-core-devel&m=106267429009416 On Thursday 04 September 2003 12:52, Rob Kaper wrote: > Applications like Atlantik, Konqueror and Kopete are trusted only because > we *know* what security procedures are in place and judge them to be > sufficient. Do we? How many people know that Kopete stored passwords in plain text up to and including 0.6.x? How many people know that the seemingly secure "encrypted" password in 0.7.x is only a dead simple hash that can be circumvented easily? Only a handful of security-conscious people like you know that. KWallet's 'secure by default' encryption would solve the problem for real, because it brings actual secure storage to people who don't even know what encryption is. > If the KWallet API would allow for creditcard data to be given > to any of these applications just because I unlocked my IM passwords, then > I would not consider KWallet trusted for the purpose of storing sensitive > data such as creditcards. Why not? If you distrust an application you can just as well distrust the entire system, since an untrusted application can just as well install a key logger and pass a separate 'credit card password' to whoever is interested. So either you trust the application and you can just as well put everything in the same wallet, or you don't, but then you should not even USE the application in the first place, with wallet or not. -- Martijn