form security stuff

George Staikos staikos at kde.org
Mon Apr 21 20:24:35 CEST 2003 

On Saturday 19 April 2003 12:10, Dirk Mueller wrote:
> On Fre, 18 Apr 2003, George Staikos wrote:
> > Isn't this effectively the same situation that caused a huge long thread
> > on kde-core-devel over a year ago?  This is the behaviour I want anyways,
> > so I'm happy.
>
> Well, I am not :-)
>
> It seems I misunderstood the purpose of the patch. Testing further with IE
> is that this is about *completion*, not about session history.

  Yes, and the thread on kcd was about completion too.

> As we already implement fully the autocomplete IE extension I don't see any
> further reason for merging this code. After all for me the whole purpose of
> completion is to not type in my personal address etc each and every time.
> If we disable completion in https forms, we can as well remove completion
> alltogether.

   Hopefully the wallet will be available soon.  The problem is that storing 
personal information on disk silently is not what all users will expect.  
They think the information is simply transmitted to the server (and hopefully 
they obey their privacy policy).  This is worse when using a computer that is 
not your own.

> I've retested Mozilla and it behaves similiar. So in my opinion removing
> autocompletion goes to far, and if somebody manages to read the
> ~/.kde/share/apps/khtml/formcompletions file the LEAST of your worries is
> your email or postal address that might get stolen.

   This is still a problem for shared computers.  Another problem is that this 
data could stay for a very long time.  You sell your hard disk not knowing 
that this information was once recorded (and even if it is formatted it is 
still recoverable).

   At least if it's encrypted it prevents these problems assuming that the 
password is strong and secret enough.

> >    We'll have to enhance for KWallet again too.
>
> Like.. make it work? :-) SCNR, but I'd love to see this, for storing
> passwords and being able to autocomplete them in webforms (annoying
> bugzilla asking for the password each and every time).

    Yes I meant to be working on it again already but too much came up.  It's 
my project for May now.

-- 
George Staikos
KDE Developer					http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/

More information about the Khtml-devel mailing list