KWallet integration
Jörg Walter
jwalt-kde at garni.ch
Thu Sep 4 13:17:38 BST 2003
Am Thursday, 04. September 2003 13:16, schrieb Martijn Klingens:
> Why not? If you distrust an application you can just as well distrust the
> entire system, since an untrusted application can just as well install a
> key logger and pass a separate 'credit card password' to whoever is
> interested.
>
> So either you trust the application and you can just as well put everything
> in the same wallet, or you don't, but then you should not even USE the
> application in the first place, with wallet or not.
You forget the probability of unintentional application misbehaviour, i.e.
bugs. I wouldn't want any app be able to transmit my credit card information
to somewhere just because the app selected the wrong entry due to an
off-by-one error or whatever. If KWallet entries would include a flag telling
which app may use that entry (perhaps just the creating app), then such
errors (including simple automated exploitation attempts and some attack
scenarios relying on social engineering) would be blocked. Installing a
keylogger is much harder for an attacker than making some app misbehave
through invalid input.
--
CU
Joerg
More information about the kde-core-devel
mailing list