[1283] in WWW Security List Archive
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
daemon@ATHENA.MIT.EDU (Jeff Weinstein)
Wed Dec 20 05:51:12 1995
To: www-security@ns1.rutgers.edu
From: Jeff Weinstein <jsw@netscape.com>
Date: Wed, 20 Dec 1995 00:00:19 -0800
To: Wayne Wilson <wwilson@umich.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
Wayne Wilson wrote:
> If the issue is one of making network performance optimizations (which
> is not achieved if you flush before re-access!, then why keep it at all),
> I would suggest the following compromize to keep the
> cached document on disk: establish a session key and encrypt the
> document with it. That way, when the browser is exited, the session key
> is lost and the cached document is now unreadable ... but then you still
> have to have a way to delete from the cache ... In the end, it would
> seem simpler to just not cache protected documents in the first place.
We have discussed giving the user the option of encrypting all or part
of their disk cache. It may be a feature in some future release, but no
promises. If a content provider does not want their pages cached, they
can send the 'Pragma: no-cache' http header. If a user does not what them
cached, they can either disable their cache, or clear it when they are
done with their session. I would like to see more control of this
behaviour put into the hands of the user in some future release.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
