[1280] in WWW Security List Archive
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
daemon@ATHENA.MIT.EDU (David Orchard)
Tue Dec 19 21:50:17 1995
Date: Tue, 19 Dec 1995 16:40:57 -0800
From: David Orchard <orchard@mda.ca>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>
> ] I think you're getting the disk cache confused with Netscape's
> ] authentication. Your demonstration page will not work correctly if
> ] you flush the disk cache before attempting it.
> ]
> ] I don't have 2.0b3, so I can't try the demo, but you may be making a
> ] distinction without a difference. The disk cache is, after all, on
> ] disk, and persists between sessions.
> ]
>
> I seem to remember that some internet-draft or even RFC stated that
> pages needing authorization must (should?) not be cached. If Netscape
> 2.0b3 would place the pages only in memory cache and not in disk cache
> there was no problem, right?
>
> -Wolfram
I doubt it. That assumes a netscape session is for a single user. Somebody
else mentioned kiosk mode, and memory caching would be a problem in kiosk mode.
With "Netscape in a Nintendo" and ubiquitous browsers, this could be a large
problem.
David Orchard | "Life is a Highway, I want to ride
orchard@mda.ca | it all night long"
MacDonald Dettwiler and Associates | Tom Cochrane
13800 Commerce Parkway
Richmond, B.C., Canada, V6V-2J3
Voice: (604) 278-3411 Fax: (604) 278-3786
http://www.pobox.com/~orchard
