[TriLUG] konqueror security

Craig Duncan craigduncan at nc.rr.com
Tue Feb 5 20:03:27 EST 2002 

Not so! It is only insecure to use konqueror on insecure sites. I use 
konqueror for many secure transactions and have never run into these issues, 
mainly I suspect, because those sites were developed by people who understand 
both usability and authentication. 
I would be more inclined to not use the services of the site you are 
referring to. Just think how secures your credit card or other information 
must be with them.

On Tuesday 05 February 2002 11:56 am, you wrote:
> When I log out of KDE and log back in and access the secure web site, I am
> presented with the log-in dialog (as desired).
>
> I agree with your point about the poor security authentication of the site,
> but the Mozilla work around is easier that the Konqueror workaround.  I'll
> be forwarding this conversation to the webhost provider so they can be made
> aware of the problem in more detail.
>
> As it stands now, it seems safer to use Mozilla for secure websites.  In
> doing so, I lose the ability to click to email using KMail, and that's
> extra work for me.
>
> Thanks,
> Mike
>
> On Tuesday 05 February 2002 11:35 am, you wrote:
> > What happens, when you log out of KDE and log back in? If this fixes the
> > problem, then it would appear that konqueror starts and stops with the
> > loading/unloading of KDE, unlike mozilla. In which case, this is not a
> > security bug in konqueror, but a security issue with the sites
> > authentication design.
> >
> > On Tuesday 05 February 2002 10:53 am, you wrote:
> > > Has anyone else experienced using konqueror to access a secure website
> > > and then been unable to logout of the site?
> > >
> > > When I go to my webhost control website, I have to login.  When I am
> > > finished, I have to close the brower.  That's lame, I know, but that's
> > > how it is according to the webhost support team.  With Mozilla this
> > > works fine. With Konqueror I go right back to the secure area I left
> > > when I bring up a new browser session and access the website again.
> > >
> > > I tried turning off cache and purging cache.  I killed all the cookies.
> > > I rm'd ~/.kde/share/config/konq_history.  I rm'd
> > > ~/.kde/share/konqueror/konq_history. Nothing worked to solve this
> > > problem.
> > >
> > > To make matters worse, the Go-Most Often Visited menu seems impossible
> > > to clean out.  As a result, any one can click on the links in the list
> > > and go straight the secure areas that cannot be logged out of.  I
> > > grepped on the strings displayed in the menu and never found anything. 
> > > I did:
> > >
> > > cd ~
> > > grep -r "menu string here" ./*
> > >
> > > Any ideas on how to clean out the the Go-Most Often  Visited list?
> > >
> > > I found that others on the web have discovered this trait in Konqueror
> > > and described it as Konqueror refusing to release security resources.
> > > They also discovered that by logging out, the security resources would
> > > be released, thus forcing a login to the secure website.  I checked out
> > > this report and verified it as being true.  The Go-Most Often Visited
> > > menu was not cleared.
> > >
> > > This behavior is unsettling to me.  If I use Konqueror on a machine
> > > that does not belong to me to access my private accounts, I am left
> > > wondering if I can eliminate remnants of information about my accounts
> > > from that machine.  Until I learn more, I will not use any machine that
> > > I cannot control 100% to access private accounts.  Is this a rational
> > > conclusion?
> > >
> > > Mke M.
> > > _______________________________________________
> > > TriLUG mailing list
> > > http://www.trilug.org/mailman/listinfo/trilug
> >
> > _______________________________________________
> > TriLUG mailing list
> > http://www.trilug.org/mailman/listinfo/trilug
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug

More information about the TriLUG mailing list