Review Request: Using KWallet to store Cookies

Ingo Klöcker kloecker at kde.org
Wed Apr 27 21:49:35 BST 2011 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://git.reviewboard.kde.org/r/101241/#review2929
-----------------------------------------------------------


No review of your patch. Rather a question about it's usefulness: Why do you think cookies should be stored in KWallet? What is the threat model?

The main reason for storing passwords in KWallet is that KWallet remembers all of those passwords for you. The additional encryption is just a side benefit. Most people wouldn't mind if the encryption was missing and they'd be right because KWallet cannot protect your passwords from somebody who has gained access to your computer (either physically or remote). The only protection KWallet really offers is against hardware theft, i.e. if your laptop is stolen then your passwords are still safe (provided your master password is strong). But for this threat model harddisk encryption is a much better solution.

So, why do you think cookies should be stored in KWallet? They are already remembered. So, KWallet's main use case (serving as external memory) cannot be the reason. Who do you want to protect your cookies from?

An attacker hacking your computer? If he owns your computer then KWallet won't help you a bit.

A thief stealing your laptop? You should seriously think about harddisk encryption.

Your wife/husband/parents/children? KWallet won't really give you additional protection over the protection offered by normal user account management. If separate user accounts do not give you enough protection, i.e. if your wife/husband/parents/children is/are tech-savvy, then KWallet won't help because physical access trumps any protection KWallet can offer.

I'm not opposed to storing cookies in KWallet. I just think that it makes no sense.

- Ingo


On April 27, 2011, 1:37 a.m., José Millán Soto wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://git.reviewboard.kde.org/r/101241/
> -----------------------------------------------------------
> 
> (Updated April 27, 2011, 1:37 a.m.)
> 
> 
> Review request for kdelibs.
> 
> 
> Summary
> -------
> 
> Currently cookies are stored in a plain text file. This patch allows KCookieJar to store the cookies securely using KWallet.
> 
> This patch is based on the one available at https://svn.reviewboard.kde.org/r/4927/diff/5/
> 
> The main difference between this one and the previous one is that there is no longer a timeout, as delayed DBus messages are used.
> 
> 
> Diffs
> -----
> 
>   kioslave/http/kcookiejar/kcookiejar.h 896cab7 
>   kioslave/http/kcookiejar/kcookiejar.cpp b9d5c27 
>   kioslave/http/kcookiejar/kcookieserver.h e6d5658 
>   kioslave/http/kcookiejar/kcookieserver.cpp dbd9bf8 
> 
> Diff: http://git.reviewboard.kde.org/r/101241/diff
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> José
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20110427/53ec8470/attachment.htm>

More information about the kde-core-devel mailing list