KWallet integration

Jörg Walter jwalt-kde at garni.ch
Thu Sep 4 13:17:38 BST 2003


Am Thursday, 04. September 2003 13:16, schrieb Martijn Klingens:

> Why not? If you distrust an application you can just as well distrust the
> entire system, since an untrusted application can just as well install a
> key logger and pass a separate 'credit card password' to whoever is
> interested.
>
> So either you trust the application and you can just as well put everything
> in the same wallet, or you don't, but then you should not even USE the
> application in the first place, with wallet or not.

You forget the probability of unintentional application misbehaviour, i.e. 
bugs. I wouldn't want any app be able to transmit my credit card information 
to somewhere just because the app selected the wrong entry due to an 
off-by-one error or whatever. If KWallet entries would include a flag telling 
which app may use that entry (perhaps just the creating app), then such 
errors (including simple automated exploitation attempts and some attack 
scenarios relying on social engineering) would be blocked. Installing a 
keylogger is much harder for an attacker than making some app misbehave 
through invalid input.

-- 
CU
   Joerg





More information about the kde-core-devel mailing list