KWallet integration - from the developer

George Staikos staikos at kde.org
Thu Sep 4 13:52:51 BST 2003 

On Thursday 04 September 2003 08:24, Martijn Klingens wrote:
> On Thursday 04 September 2003 14:17, Jörg Walter wrote:
> > You forget the probability of unintentional application misbehaviour,
> > i.e. bugs. I wouldn't want any app be able to transmit my credit card
> > information to somewhere just because the app selected the wrong entry
> > due to an off-by-one error or whatever. If KWallet entries would include
> > a flag telling which app may use that entry (perhaps just the creating
> > app), then such errors (including simple automated exploitation attempts
> > and some attack scenarios relying on social engineering) would be
> > blocked. Installing a keylogger is much harder for an attacker than
> > making some app misbehave through invalid input.
>
> Given the current KWallet API and the way Kopete uses it I somewhat doubt
> this is needed, but George has the final word here...

  Any app can send the wrong information by accident.  This is why we have 
folders.  It keeps the data separate.  Web forms are the only real collision 
case that I know of, and they populate the data in the form but do NOT send 
it automatically.

  Anyways, I really don't have time to read this thread before it dies off and 
you guys all forget about it already.  Can we get a 
kde-core-devel-kwallet-digest? :-)

   Seriously, I don't want to have a "final word" here.  However I don't have 
time to deal with speculation and unfounded criticism.  If anyone wanted to 
do that, they missed their chance while I was at Nove Hrady.  I was there for 
days after the paper was published and the talk was presented, and even after 
most of the code was in CVS.  I am now extremely busy catching up after Nove 
Hrady so here is my policy regarding KWallet:

   1) If you have a serious security or privacy concern, founded, and provably 
exploitable, please contact me directly and immediately.  Note that after 
some research by Dirk and I, it seems that our implementation is far more 
secure than other existing implementations.  I'm still open to suggestions 
though.

   2) If you have a substantial improvement idea for the design or the 
implementation, first check kdeutils/kwallet/TODO, then email me, preferably 
with a patch, at least with the idea.

   3) The UI probably needs lots of help and I doubt I would mind if some UI 
wizards did some cleanup.  CCMAIL me the commits if you're feeling extra 
friendly.

    4) If you have UI and usability complaints, do not send them my way unless 
you are prepared to back them up with comparisons against other such systems.  
Have a look at Apple's system, passport, or some other similar system.  The 
only big difference we have at this point is that we don't reuse the system 
login password for the wallet password.  I think you can agree with me that 
this is a bad idea for us to emulate.

   5) API and application integration.  If you think it's too difficult to 
integrate with your app, please tell me why and suggest an alternative 
approach.  My goal is to keep almost all error handling inside 
libkwalletclient and kwalletd, and to keep the API very simple.  If it's too 
simple, I can change it.

  Thanks for your understanding with this.

-- 
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

More information about the kde-core-devel mailing list