[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Rob Kaper <cap () capsi ! com>
Date:       2001-08-03 8:04:31
[Download RAW message or body]

On Thu, Aug 02, 2001 at 11:31:25PM +0200, Rolf Magnus wrote:
> > Even on multi-user systems, if the file is mode 600 it should not be a
> > problem anyway.
> 
> You don't seem to know much about the security of nfs shares, do you? I
> don't either, but I know that it's easy for anyone to get the information.

Which is why one should consider not using NFS when security is an issue.
(now that the kio_sftp in kdenonbeta is working, a kiomount program would be
awesome)

I think supporting the noautocomplete tag (or whatever) is the best we can
do, aside from not storing any information from SSL forms at all.

I've seen several e-commerce sites that do indeed have 4 input fields of
four digits or ask you to enter your card info into a textarea, along with
the expiry date. None of these would get caught by any of our regexps.

For 2.2, just disable autocompletion for SSL forms alltogether. That might
be overdoing it, but we cannot force a _decent_ solution this soon anyway.

For 3.0, I propose something like Mozilla's wallet: an encrypted file,
passphrase protected, which optionally stores entries that are entered
through input type password and https actions.

Rob
-- 
Rob Kaper     | Realize what happened to the dotcom industry before even
cap@capsi.com | thinking about implementing any dotnet technology.
www.capsi.com |

[prev in list] [next in list] [prev in thread] [next in thread]