'Re: Outstanding critical issue for KDE 2.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Roberto Teixeira <maragato () conectiva ! com ! br>
Date:       2001-08-02 18:53:39
[Download RAW message or body]

Em Thursday 02 August 2001 15:28, Kurt Granroth escreveu:
> [snip]
>
> Really, the only long term solution to this that I can see is Yet Another
> Option.  Something like:
>
>  Enable Form Completions
>  ( ) Always
>  ( ) Only on unencrypted pages

That's what I suggested in the begining of this thread. However, we have to 
remember that this would create a new string to be translated (doesn't seem 
to be much, but I for one know at least one translation team that's already 
working virtually full time not to have support for its native language 
dropped from KDE 2.2).

So the best would be to disable autocompletion on encrypted pages for default 
and create this option for 2.2.1.

> The other long term option involves having the user enter some password
> during every browsing session and encrypting the data to disk.  I speak for
> myself when I say that hell will freeze over before I enter a password
> before all of my browsing sessions (convience vs security again).

Let's forget this option, shall we? :-)

>  Right now, due to the imminent release of KDE 2.2, we are in a no-win
> situation.  If we keep the code as it is right now (doesn't store numbers,
> stores some other data depending on how the form is coded), we will piss
> off a decent amount of people who don't want this.  If we disable
> autocompletion for SSL sites, we will piss off an entire other set of
> people who except it to work always.  *sigh*
>
> FWIW, I think we should release as-is.  It's more secure than what IE does
> (the only other place people are used to autocompletion on the web) and
> should fail only in rare cases.  After 2.2, we can beef it up and do it the
> Right Way.

No! This would be wrong for reasons mentioned over and over in this thread. 
Storing this information in the user's HD is wrong, at least if the user 
doesn't know about it.

I _do_ like to have completion of my credit card information. I use it. But 
it is still wrong to not give users the choice. If we cannot give them the 
choice now, then let's do what is more secure yet less convinient.

regards,

	Roberto.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic