[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Kurt Granroth <granroth () suse ! com>
Date:       2001-08-01 19:37:46
[Download RAW message or body]

On Wednesday 01 August 2001 11:58 am, Waldo Bastian wrote:
> KDE 2.2 seems to come along pretty nicely, I do have one critical issue
> though:
>
> I believe that information typed into forms on secure websites (https) can
> end up on the hard-disk due to auto-completion. This may mean that
> credit-card information may end up on places where the user does not expect
> it, which is an unacceptable situation.
>
> Can someone confirm that this is indeed the case? Can this be fixed ASAP?

I'm sure that George or Dawit can give a more detailed answer.. but I'll pipe 
in with anecdotal confirmation.  It seems that autocompletion doesn't care if 
the connection is encrypted or not.  It seems to decide on completion based 
on the form itself.

For instance, if I go to sign in to eBay, I have a choice of either SSL or 
non-SSL.  The form is the same for both.. just one is http and the other is 
https.  In BOTH cases, khtml will complete on the user id but will not 
complete on the password field.  This is likely because the password field is 
of type "password".

Just for kicks, though, I looked through khtml/formcompletions to see if 
there was any sensitive data in there.... Yikes!  Quite a few credit cards, 
SS#, passwords, etc.  At a glance, though, it seems like those are the same 
ones that IE completes, too.  Perhaps khtml and IE have the same 
autocompletion policy?  In other words, they behave nicely on well written 
forms but are too forgiving of poorly written ones?
-- 
Kurt Granroth            | http://www.granroth.org
KDE Developer/Evangelist | SuSE Labs Open Source Developer
granroth@kde.org         | granroth@suse.com
            KDE -- Conquer Your Desktop

[prev in list] [next in list] [prev in thread] [next in thread]