KSSL session reuse bugs

George Staikos staikos at kde.org
Fri Oct 24 06:02:31 BST 2003


On Thursday 23 October 2003 04:31, Stefan Rompf wrote:
> we should not store the sessions KDE-wide. The solution you suggested would
> give everybody who can type "dcop kded kssld" (and has some SSL knowledge)
> the possibility to negotiate weak sessions and make applications use them.
> That would open a gaping security hole.

   I don't think it's that bad of a security hole.  They could easily get it 
other ways.

> So I think the scope of a session must be limited to the io-slave or the
> application. For the current implementation, George decided for
> application, IMHO the right choice.

   Yes, io-slave will never work since we spawn many of them.
  
-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/





More information about the kde-core-devel mailing list