[1276] in WWW Security List Archive
Re: caching protected documents
daemon@ATHENA.MIT.EDU (Michael Brennen)
Tue Dec 19 14:05:48 1995
Date: Tue, 19 Dec 1995 09:36:18 -0600 (CST)
From: Michael Brennen <mbrennen@fni.com>
To: Pitt Crandlemire <pittc@syncon.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199512190403.XAA16027@zork.tiac.net>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 18 Dec 1995, Pitt Crandlemire wrote:
> True but all cache settings are completely user configurable, including
> setting no cache at all. Thus, Netscape satisfactorily addresses security
> in that they make a secure option available and leave it to the end user to
> determine the level of security necessary for their environment.
And how many users do you think understand the security significance of
this setting? Did you understand this two weeks ago? Before this thread
started, did Netscape "satisfactorily address" address security issues so
that you understood precisely the security ramifications of all the
choices you can set in the browser?
I don't think so.
I suggest that Netscape was not thinking of security concerns at all when
this was done. Disk cache was not designed particularly with security
tradeoffs in mind at all, or there would be much more clear explanations
already plastered around the choices. I suggest that disk cache was
designed for perceived speed, and I also suspect that the security
concerns about authentication caching snuck up on them after the fact.
Sure, someone in the back room knew about this, but did anyone really
think this would be an issue?
Given the far more serious laxness that Netscape showed in the random
number generation for SSL keys, I'm not willing to give them credit for
having thought through the security implications of stashing the
authentication key on the disk.
Does this make the browser useless? No -- they are a typical company that
oversold their deliverables and are now having to scramble around the
backlash of what they had not done carefully enough in the first place.
Pretty standard scenario. They will come out of it, and so will the rest
of us.
Michael
---------------------------------------------------------------------
Michael Brennen, President / / mbrennen@fni.com
FishNet, Inc. / Internet / http://www.fni.com/
P.O. Box 940451 / Services / (214) 783-2553 (vox/fax)
Plano, TX 75094-0451 / / finger me for PGP public key
