[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Malte Starostik <malte () kde ! org>
Date:       2001-08-01 20:18:33
[Download RAW message or body]

Am Mittwoch, 1. August 2001 21:37 schrieb Kurt Granroth:
> On Wednesday 01 August 2001 11:58 am, Waldo Bastian wrote:
> > KDE 2.2 seems to come along pretty nicely, I do have one critical issue
> > though:
> >
> > I believe that information typed into forms on secure websites (https)
> > can end up on the hard-disk due to auto-completion. This may mean that
> > credit-card information may end up on places where the user does not
> > expect it, which is an unacceptable situation.
> >
> > Can someone confirm that this is indeed the case? Can this be fixed ASAP?
>
> I'm sure that George or Dawit can give a more detailed answer.. but I'll
> pipe in with anecdotal confirmation.  It seems that autocompletion doesn't
> care if the connection is encrypted or not.  It seems to decide on
> completion based on the form itself.
Exactly, it doesn't care if SSL is used or not. Yes, this is a grave privacy 
bug.

> For instance, if I go to sign in to eBay, I have a choice of either SSL or
> non-SSL.  The form is the same for both.. just one is http and the other is
> https.  In BOTH cases, khtml will complete on the user id but will not
> complete on the password field.  This is likely because the password field
> is of type "password".
<input type="password"> are never completed.

> Just for kicks, though, I looked through khtml/formcompletions to see if
> there was any sensitive data in there.... Yikes!  Quite a few credit cards,
> SS#, passwords, etc.  At a glance, though, it seems like those are the same
> ones that IE completes, too.  Perhaps khtml and IE have the same
> autocompletion policy?  In other words, they behave nicely on well written
> forms but are too forgiving of poorly written ones?
Forms can use an attibute ("nocomplete" IIRC, dunno exactly) to disable 
completion for some fields. That attribute is honoured by both IE and KHTML, 
any other text field is completed. But I agree, information entered into SSL 
forms should not be stored.

If anyone knows how to get the SSL status, please speak up :)
BTW, if the form itself is on a http page, but the form submits to https, it 
should be treated as encrypted of course, so it's the target, not the source 
that matters.
I'd be glad if someone else could implement a fix, as I need to do some 
recovery which includes wiping my KDE source and build trees to get some disk 
space I need. Also, as stated before, I have no idea how to get the info 
about SSL or not SSL. But I'll wait for some answers before I kill the files 
:)

Thanks,

-- 
Malte Starostik
PGP: 1024D/D2F3C787 [C138 2121 FAF3 410A 1C2A  27CD 5431 7745 D2F3 C787]

[prev in list] [next in list] [prev in thread] [next in thread]