KWallet integration

Martijn Klingens klingens at kde.org
Thu Sep 4 12:16:46 BST 2003


On Thursday 04 September 2003 12:52, Rob Kaper wrote:
> Applications like Atlantik, Konqueror and Kopete are trusted only because
> we *know* what security procedures are in place and judge them to be
> sufficient.

Do we? How many people know that Kopete stored passwords in plain text up to 
and including 0.6.x? How many people know that the seemingly secure 
"encrypted" password in 0.7.x is only a dead simple hash that can be 
circumvented easily? Only a handful of security-conscious people like you 
know that. KWallet's 'secure by default' encryption would solve the problem 
for real, because it brings actual secure storage to people who don't even 
know what encryption is.

> If the KWallet API would allow for creditcard data to be given 
> to any of these applications just because I unlocked my IM passwords, then
> I would not consider KWallet trusted for the purpose of storing sensitive
> data such as creditcards.

Why not? If you distrust an application you can just as well distrust the 
entire system, since an untrusted application can just as well install a key 
logger and pass a separate 'credit card password' to whoever is interested.

So either you trust the application and you can just as well put everything in 
the same wallet, or you don't, but then you should not even USE the 
application in the first place, with wallet or not.

-- 
Martijn




More information about the kde-core-devel mailing list