The situation of KWallet, and what to do about it?

Thu Jul 7 11:17:12 UTC 2016

On Thursday, July 7, 2016 12:36:26 PM CEST Thomas Pfeiffer wrote:
> Hi everyone,
> I'm addressing both the Plasma team and kde-devel because this issue affects
> Plasma as well as many applications, and Valentin as the current maintainer
> of KWallet as well as KSecretService, a potential replacement for it.
> 
> KWallet plays a central role in Plasma and many KDE applications as the
> central password storage. However, it being very old and not having been
> actively developed for a long time, it has lots of problems, including:
> 
> - It has weak security, as it does not restrict applications accessing it by
> default, and even when it does, it does so simply based on application name
> which allows any malicious process to impersonate an allowed one
> - The initial setup has huge usability problems, as it forces users to make
> a choice on a very advanced technical level (encryption methods, no less!),
> and the option it suggests (GPG) is a nightmare to set up for ordinary
> users - It does support unlocking via PAM, but does not tell users what
> they need to do to make that work, which results in most users having to
> enter the KWallet password at each system start, which many find very
> annoying (we get lots of negative feedback for that)
> - It works only with KDE Frameworks-based applications
> - One cannot easily write a QML GUI for it, making it unsuitable for mobile

Adding some more:
- kwallet dialog allows keyloggers on X11 (in defence of KWallet, I only know 
of pinentry which handles this properly at the cost of severely degraded user 
experience)
- kwallet does not protect against ptrace (I didn't add the protection, due to 
the keylogger rendering it point less)
- kwallet dialog windows sometimes are placed at the bottom of the stack due 
to focus stealing prevention (this happens for example with akonadi/other 
daemons)
- kwallet shows total giberish like "kded requested to open the wallet"
- if one doesn't unlock the wallet fast enough applications start asking for 
the password. So getting a coffee while desktop starts results in thousands of 
password windows.

> 
> Valentin has been working on KSecretService for quite a while, which is
> based on the freedesktop Secrets API [1] that is also supported in GNOME
> Keyring, and would solve many (and ideally all) of the above problems.
> However, Valentin told me he does not have the time to work on
> KSecretService any more.
> 
> This means we have to find a solution to these problems. The options I see
> currently are
> - Improve KWallet (unlikely to fix all the problems without massive changes
> in it, though)
> - Find someone to finish and maintain KSecretService

how much work is still needed?

> - Build a wrapper around one of the other existing keyring technologies
> - Each application (and each Plasma component that stores passwords)
> implements its own encrypted password storage
> - We make encrypted password storage optional and non-default (easiest
> solution, but not exactly in line with KDE's vision)

For Plasma I would like to see unlocking the wallet integrated into the 
desktop shell in some way. That would fix problems like the incorrect stacking 
order and we can easily protect against keyloggers, etc. Especially on Wayland 
I would like KWin having more control of entering passwords (KWin should know 
that a password is entered and make it impossible to steal focus then).

Cheers
Martin

Now going to use the secure pinentry, by clicking send
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20160707/3cee851f/attachment.sig>