[TriLUG] konqueror security

Tom Bryan tbryan at python.net
Tue Feb 5 14:32:25 EST 2002 

On Tuesday 05 February 2002 08:53 pm, M. Mueller (bhu5nji) wrote:
> Has anyone else experienced using konqueror to access a secure website and
> then been unable to logout of the site?

I have that problem with Zope.  It seems to happen with sites that use only 
basic "HTTP Authentication."  Not very secure, but that's the Zope default 
authentication method.

> Any ideas on how to clean out the the Go-Most Often  Visited list?

It looks like that menu is populated based on your recent History.  Try 
Window->Show Sidebar
Then, expand the History tab in the sidebar, right click on the base URL that 
you'd like to remove, right click, and choose Remove Entry.
(You can also clear the entire history from there.)

I don't think that touches the cache, and I don't think that'll prevent 
someone from logging in if they visit the site.  But it should remove it from 
the list.

> I found that others on the web have discovered this trait in Konqueror and
> described it as Konqueror refusing to release security resources.  They
> also discovered that by logging out, the security resources would be
> released, thus forcing a login to the secure website.  

Yes.  It appears to be some sort of KDE component that Konqueror is using but 
that is persistent between Konqueror restarts.  I'm not sure what that 
component is or whether there's a way to get it to reset.

> machine.  Until I learn more, I will not use any machine that I cannot
> control 100% to access private accounts.  Is this a rational conclusion?

Sure.  Just like in IT: you try to estimate the risk certain actions expose 
you to, determine the cost of avoiding the risks, and decide how much cost 
(money, inconvenience, etc.) you're willing to spend and how much risk you're 
willing to accept.  

Really, if you don't 100% control the machine, it's possible that someone has 
installed a key logger that activates whenever you log in.  Perhaps not 
likely, but it is possible.  They could also run a daemon or service that 
logs all network packet for later analysis and (if necessary) decryption.  

---Tom

More information about the TriLUG mailing list