Summary: | password box is not completly secure. (mixmail.ya.com) | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | sepspv |
Component: | khtml | Assignee: | Konqueror Developers <konq-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | grave | CC: | luigiwalser, misc2006, zander |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | RedHat Enterprise Linux | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
sepspv
2001-12-04 04:45:40 UTC
well, you cannot copy+paste the password but it could indeed be later used by someone else. i don't consider this a real problem, but i set it to "grave" as a "potential security problem". hmm, any example login I could use for testing ? Daniel, you created one right? Subject: Re: password box is not completly secure. (mixmail.ya.com) On Sunday 22 September 2002 02:35, you wrote: > ------- hmm, any example login I could use for testing ? Daniel, you > created one right? e.g. here: http://www.danielnaber.de/tmp/konqueror.php type password, submit, go back: password still there (the form goes to itself when you submit, but that's not relevant) *** Bug has been marked as fixed ***. I see this bug-fix as a mis-feature. It only brings a false sense of security. If only since session cookies are still available. Now; if you empty the password field when a cookie that is set as a result of that form is expired; then it makes sense. Now its just annoying and does not add any security. Closing konqueror is the only way you can be 'secure' in this matter, and its not that big a problem since starting it again takes minimal time. I recently convinced a number of former IE users to switch to konqueror so they could get around this bad feature :( This just to say I'm definitely not the only one who has a problem with this. Anyway; please consider un-fixing this non-problem. Its bad from a usability point of view and not a security fix at all. Thomas is right. I can see why this was contrived as a security fix, but it's not. Consider Yahoo! Mail. It has a feature where it just automatically logs you out after a certain amount of time. It's annoying, but it is a security feature, because if you leave yourself logged in in a public place (and I mean even closed the browser, but had told it to remember you), someone can only abuse it for a limited time w/out your password. Now, just as a user, it's annoying, and it's nice to be able to go back to the login screen and hit login again. If you didn't want someone else to be able to do that you would have just closed the browser window. This wasn't a security fix, more just an annoyance. It should be reverted. |