RFC: Moving KWallet Password dialog into Plasma

Fri Jul 20 18:07:20 BST 2012

On Friday 20 July 2012 18:48:47 Thomas Lübking wrote:
> Like into the plasma-desktop process which shares memory with random
> plasmoids of questionable source?
> No. And I mean "no way". The wallet password dialog isn't very secure
> anyway, but passing the password through plasma means to open it
> anywhere. (next step is dbus to pass it down to kwalletd?)
Have you ever looked at how kwallet passes the passwords to the requesting 
clients? Or how a window gets authenticated to access the password it asks 
for?

Once the wallet is open every running application can read each single 
password. So does not sound very secure to me in the first place.

I'm not sure whether there needs to be further protection given that if there 
is malicious code it has access to everything anyway, just not the master 
password.
> ... the danger is here that users misinterpret it as "system message
> annoyance i don't care about" because there's no obvious relation
> (blocking their current task) and that also means there's no strong
> hint why the irc on the lower left just froze while that dialog in the
> upper right shows up.
I hope that clients would add a "waiting for password" to their UI or 
something like that.
> 
> > and not some random malware
> 
> i'm waiting for the first "very important" client to feign a system message
> :(
> > So what do you think?
> 
> https://bugs.kde.org/show_bug.cgi?id=92845
> 
> not read through it, but gg found it immediately ;-)
Yeah I'm in the CC of this bug report since August 2007. I kind of gave up the 
hope for that to happen :-)

Cheers
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20120720/2a34dcc4/attachment.sig>