potential disclosure of private data in konqueror
Dirk Mueller
mueller at kde.org
Sun Jan 12 22:49:08 GMT 2003
On Mon, 13 Jan 2003, Tim Jansen wrote:
> If this is a security problem, then what about the following:
> - you paste something in the location bar and send it to your DNS server
Thats true, but DNS servers are local. You have to trust your local dns
server, otherwise there is not much to protect you from anyway.
> - you paste something behind a URL, and send it to the webserver that owns the
> url
correct. but its more difficult to grep for such stuff when you're able to
sniff the traffic. Its far easier with such a "builtin" feature, because
you know how the url / query will look like. Also for social engineering reasons
eavesdroppers will always want to log queries sent to search engines.
I don't think its a security problem, thats why I posted it here. It just
makes sense imho to think about it and see if we can do something about it.
The easy fix would be to use https://www.google.com/ instead of http.
unfortunately google doesn't seem to support https.
> (it may make sense to limit the number of words to 10. Google does not use
> more words anyway)
True, but one word is enough: a password (worst case)
--
Dirk (received 722 mails today)
More information about the kfm-devel
mailing list