[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Outstanding critical issue for KDE 2.2
From: Kurt Granroth <granroth () suse ! com>
Date: 2001-08-01 19:37:46
[Download RAW message or body]
On Wednesday 01 August 2001 11:58 am, Waldo Bastian wrote:
> KDE 2.2 seems to come along pretty nicely, I do have one critical issue
> though:
>
> I believe that information typed into forms on secure websites (https) can
> end up on the hard-disk due to auto-completion. This may mean that
> credit-card information may end up on places where the user does not expect
> it, which is an unacceptable situation.
>
> Can someone confirm that this is indeed the case? Can this be fixed ASAP?
I'm sure that George or Dawit can give a more detailed answer.. but I'll pipe
in with anecdotal confirmation. It seems that autocompletion doesn't care if
the connection is encrypted or not. It seems to decide on completion based
on the form itself.
For instance, if I go to sign in to eBay, I have a choice of either SSL or
non-SSL. The form is the same for both.. just one is http and the other is
https. In BOTH cases, khtml will complete on the user id but will not
complete on the password field. This is likely because the password field is
of type "password".
Just for kicks, though, I looked through khtml/formcompletions to see if
there was any sensitive data in there.... Yikes! Quite a few credit cards,
SS#, passwords, etc. At a glance, though, it seems like those are the same
ones that IE completes, too. Perhaps khtml and IE have the same
autocompletion policy? In other words, they behave nicely on well written
forms but are too forgiving of poorly written ones?
--
Kurt Granroth | http://www.granroth.org
KDE Developer/Evangelist | SuSE Labs Open Source Developer
granroth@kde.org | granroth@suse.com
KDE -- Conquer Your Desktop
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic