Summary: | confirmation dialog before password verification | ||
---|---|---|---|
Product: | [Applications] krfb | Reporter: | Waldo Bastian <bastian> |
Component: | general | Assignee: | George Goldberg <grundleborg> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | grundleborg |
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Compiled Sources | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: |
Description
Waldo Bastian
2004-08-19 17:43:21 UTC
True. I agree mostly, but one of the reasons for that design was that it allowed me to have krfb always running with a good conscience. Every bit of data from an unauthenticated host that is processed by a C application is a large risk. If there would be a bug (eg a buffer overflow) in the authentication code, this would be a fatal security problem. Every KDE system that has either an open invitation or a permanent password would be vulnerable. Asking the user for a confirmation before any data is processed solves that problem to some degree. I have used krfb for remotely assisting users in the past, but this has become unusable because users were getting loads of connection requests from all over the internet. Maybe a whitelist of allowed remote hosts can solve this problem? FYI: KRFB has been unmaintained for over a year now, despite numerous attempts to find someone interested in picking it up. Until someone does, the future of the program is uncertain. Issue still stands in KDE4.3. |