Announcement

Collapse
No announcement yet.

10 Year Old KDE Bug Finally Gets Fixed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • phoronix
    started a topic 10 Year Old KDE Bug Finally Gets Fixed

    10 Year Old KDE Bug Finally Gets Fixed

    Phoronix: 10 Year Old KDE Bug Finally Gets Fixed

    A bug that has been present in the KDE Libraries for the past decade has finally been fixed...

    http://www.phoronix.com/vr.php?view=MTI3ODk

  • Awesomeness
    replied
    Originally posted by erendorn View Post
    Please correct me if I'm wrong:
    If KWallet password is not set, KWallet content is not encrypted. If my laptop is stolen, KWallet content can be read.
    Not with full disk encryption.

    Originally posted by erendorn View Post
    I personally think that one-step login and off-line protection is a useful feature.
    It's definitively a feature request and not a bug and the claim that it's a bug is the reason why it was even mentioned here in the first place.

    Leave a comment:


  • erendorn
    replied
    Originally posted by Awesomeness View Post
    The longer a script has to sit and way, the higher the chance of detecting it.

    And even if it was not worse: I see no point developing a KWallet feature that is not superior to the current way.
    Again: If you are concerned about strangers with physical access to your PC, use full disk encryption.
    Please correct me if I'm wrong:
    If KWallet password is not set, KWallet content is not encrypted. If my laptop is stolen, KWallet content can be read.
    If KWallet password is set to the user password, KWallet content is encrypted. One can change the user password, but it won't decrypt KWallet content (root can't change KWallet password). If my laptop is stolen, KWallet content cannot be read. If user changes its user password, it must change KWallet password separately (or the GUI must do it for him at least), and the original password is necessary for this.

    The keylogger point is completely moot. If you have one on your PC, your doomed, whether it takes 0 or 5min between your login and the opening of the KWallet content.

    I personally think that one-step login and off-line protection is a useful feature.

    Leave a comment:


  • Awesomeness
    replied
    Originally posted by ChrisXY View Post
    How is that much worse than a script that just waits for kwallet to open and reads it then?
    The longer a script has to sit and way, the higher the chance of detecting it.

    And even if it was not worse: I see no point developing a KWallet feature that is not superior to the current way.
    Again: If you are concerned about strangers with physical access to your PC, use full disk encryption.

    Leave a comment:


  • ChrisXY
    replied
    Originally posted by Awesomeness View Post
    If the KWallet password is automatically the same as the user login password, anyone with physical/root access can simply change the user password
    The kwallet password is the same as the login password, but separately set. It could just work together that for this case one only needs one login and changing the user password would not touch kwallet's password.

    Originally posted by Awesomeness View Post
    or alternatively plant a script that reads the contents of KWallet right after login.
    How is that much worse than a script that just waits for kwallet to open and reads it then?

    Leave a comment:


  • Awesomeness
    replied
    Originally posted by ChrisXY View Post
    If I have no password set, anyone with physical/root access can open it, even if I'm not logged in, right?
    If the KWallet password is automatically the same as the user login password, anyone with physical/root access can simply change the user password or alternatively plant a script that reads the contents of KWallet right after login.
    If you are concerned about people having physical access to your PC, go full-disk encryption instead.

    Leave a comment:


  • ChrisXY
    replied
    If I have no password set, anyone with physical/root access can open it, even if I'm not logged in, right?

    If I have a password set but it is the same as my login passwort an attacker would need me to be logged in.

    The problem is: I first type my password in the login manager and then immediately after that korganizer requests the kwallet passwort to sync the google calendar. Or maybe networkmanager needs the password for the wireless lan.

    Gnome/gdm can do it. KDE can't. There were some patches floating around somewhere doing something with pam but nobody bothered to implement it in kwallet directly because ksecrets/ksecretservice would be replacing kwallet anyway.

    Leave a comment:


  • Awesomeness
    replied
    Originally posted by ChrisXY View Post
    Some people? would consider it a usability bug.
    Automatic unlocking of KWallet at login is almost as insecure as storing passwords in plaintext: https://bugs.kde.org/show_bug.cgi?id=92845#c129

    If one does not want to be bothered by KWallet authentication requests, simply set no KWallet password and KWallet will silently open in the background when needed.

    Leave a comment:


  • ChrisXY
    replied
    Some people? would consider it a usability bug.

    Leave a comment:


  • GreatEmerald
    replied
    Originally posted by ChrisXY View Post
    So why does kwallet still not unlock on login?

    https://bugs.kde.org/show_bug.cgi?id=92845

    Another one from 2004?
    It's not a bug, it's a feature request.

    Leave a comment:

Working...
X