Re: [g-a-devel]role type - "password-text"
- From: Bill Haneman <bill haneman sun com>
- To: peter korn sun com
- Cc: Michael Meeks <michael ximian com>, "Padraig O'Briain" <Padraig Obriain sun com>, accessibility mailing list <gnome-accessibility-devel gnome org>, anju premachandran wipro com, mukund rajagopalan wipro com, Marc Mulcahy <marc mulcahy sun com>
- Subject: Re: [g-a-devel]role type - "password-text"
- Date: 30 Jul 2002 11:19:47 +0100
On Tue, 2002-07-30 at 09:56, Peter Korn wrote:
> Hi Michael,
>
> > On Mon, 2002-07-29 at 06:56, Bill Haneman wrote:
> > > I do believe this is a security bug, my understanding has always been
> > > that a text field should report what is displayed in this case and not
> > > what was typed in.
> > >
> > > Certainly if we expose the password text here it creates very
> > > significant security issues for at-spi and accessibility solutions.
> >
> > I'm extremely un-certain that this is a security bug in at-spi, if
> > we remove all ways of determining what text is in that field, we have
> > screwed with eg. braille displays - that don't speak the string out to
> > the whole room [ not that an a11y desktop user would be using anything
> > but headphones in an office space I'm sure ;-].
>
> FYI - I know of users who would put their passwords into the pronounciation
> exception dictionaries, so that when read aloud, they would be pronounced
> as a completely different word, thereby confusing anyone who was
> listening...
Yes, this is a clever (and interesting) workaround. However I think
that for at-spi, exposing the plaintext makes for a too-easily-exploited
hole (since it's very easy to write a utility that snoops at-spi).
-Bill
>
> Peter Korn
> Sun Accessibility team
[
Date Prev][Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
