17

How easy would an SSL connection be to implement now? Especially with current applications using DBus...

What a paradigm: the only people that really know about KWallet's vulnerabilities are the users. At least the developers can do something about it then...(?)

I don't know how hard it would be. QCA would probably help make it easier though.

bcooksley wrote:Running as a different user wouldn't help. The best way would probably to use some form of a system like SSL, which would be part of the registration process, which would be the only way to truly be secure.

Wouldn't it be possible to run ptrace on kwalletd to read it's memory and parse it to collect whatever passwords is stored there? That's why I'm proposing running kwalletd as another, separate user.

And what about a process trying to impersonate another on dbus... is it impossible?
SSL wouldn't help if the kwalletd and the application can't make it clear to one another that they really are what they say they are.

I'm glad to have sparked such a discussion o.o

You could run ptrace on any process which includes password management. And the applications receiving the passwords could be read as well, so running as another user won't really help ( it can't anyway, since it won't have access to the users dbus session bus )

Unfortunately, there is no way to ensure the identity of applications