[TriLUG] konqueror security

M. Mueller (bhu5nji) bhu5nji at yahoo.com
Tue Feb 5 22:56:29 EST 2002


So if it doesn't work with Konqueror don't use it.  That actually apeals to 
my growing awareness to security issues.  That's a twist I didn't exect.  Now 
in the case of my webhost (averdata.com) who charges me $2.50/month on a 
quarterly basis, I think I'll adapt for now and try to get them to see the 
error of their ways.  They use a third -party billing service so their site 
presumably is not involved in credit transactions.  That's how my domain 
registrar works too (thenec.com).

On Tuesday 05 February 2002 08:03 pm, you wrote:
> Not so! It is only insecure to use konqueror on insecure sites. I use
> konqueror for many secure transactions and have never run into these
> issues, mainly I suspect, because those sites were developed by people who
> understand both usability and authentication.
> I would be more inclined to not use the services of the site you are
> referring to. Just think how secures your credit card or other information
> must be with them.
>
> On Tuesday 05 February 2002 11:56 am, you wrote:
> > When I log out of KDE and log back in and access the secure web site, I
> > am presented with the log-in dialog (as desired).
> >
> > I agree with your point about the poor security authentication of the
> > site, but the Mozilla work around is easier that the Konqueror
> > workaround.  I'll be forwarding this conversation to the webhost provider
> > so they can be made aware of the problem in more detail.
> >
> > As it stands now, it seems safer to use Mozilla for secure websites.  In
> > doing so, I lose the ability to click to email using KMail, and that's
> > extra work for me.
> >
> > Thanks,
> > Mike
> >
> > On Tuesday 05 February 2002 11:35 am, you wrote:
> > > What happens, when you log out of KDE and log back in? If this fixes
> > > the problem, then it would appear that konqueror starts and stops with
> > > the loading/unloading of KDE, unlike mozilla. In which case, this is
> > > not a security bug in konqueror, but a security issue with the sites
> > > authentication design.
> > >
> > > On Tuesday 05 February 2002 10:53 am, you wrote:
> > > > Has anyone else experienced using konqueror to access a secure
> > > > website and then been unable to logout of the site?
> > > >
> > > > When I go to my webhost control website, I have to login.  When I am
> > > > finished, I have to close the brower.  That's lame, I know, but
> > > > that's how it is according to the webhost support team.  With Mozilla
> > > > this works fine. With Konqueror I go right back to the secure area I
> > > > left when I bring up a new browser session and access the website
> > > > again.
> > > >
> > > > I tried turning off cache and purging cache.  I killed all the
> > > > cookies. I rm'd ~/.kde/share/config/konq_history.  I rm'd
> > > > ~/.kde/share/konqueror/konq_history. Nothing worked to solve this
> > > > problem.
> > > >
> > > > To make matters worse, the Go-Most Often Visited menu seems
> > > > impossible to clean out.  As a result, any one can click on the links
> > > > in the list and go straight the secure areas that cannot be logged
> > > > out of.  I grepped on the strings displayed in the menu and never
> > > > found anything. I did:
> > > >
> > > > cd ~
> > > > grep -r "menu string here" ./*
> > > >
> > > > Any ideas on how to clean out the the Go-Most Often  Visited list?
> > > >
> > > > I found that others on the web have discovered this trait in
> > > > Konqueror and described it as Konqueror refusing to release security
> > > > resources. They also discovered that by logging out, the security
> > > > resources would be released, thus forcing a login to the secure
> > > > website.  I checked out this report and verified it as being true. 
> > > > The Go-Most Often Visited menu was not cleared.
> > > >
> > > > This behavior is unsettling to me.  If I use Konqueror on a machine
> > > > that does not belong to me to access my private accounts, I am left
> > > > wondering if I can eliminate remnants of information about my
> > > > accounts from that machine.  Until I learn more, I will not use any
> > > > machine that I cannot control 100% to access private accounts.  Is
> > > > this a rational conclusion?
> > > >
> > > > Mke M.
> > > > _______________________________________________
> > > > TriLUG mailing list
> > > > http://www.trilug.org/mailman/listinfo/trilug
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > > http://www.trilug.org/mailman/listinfo/trilug
> >
> > _______________________________________________
> > TriLUG mailing list
> > http://www.trilug.org/mailman/listinfo/trilug
>
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug



More information about the TriLUG mailing list