[1296] in WWW Security List Archive
Re: caching protected documents
daemon@ATHENA.MIT.EDU (Jeff Weinstein)
Thu Dec 21 05:51:37 1995
Date: Thu, 21 Dec 1995 00:07:14 -0800
From: Jeff Weinstein <jsw@netscape.com>
To: Brain21 <brain21@montag33.residence.gatech.edu>
CC: www-security@ns1.rutgers.edu, wwilson@umich.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brain21 wrote:
>
> On Wed, 20 Dec 1995, Jeff Weinstein wrote:
>
> > that the "authentication key"(password) was somehow being saved by
> > netscape. In fact it was not, and what he was seeing was the result of
> > a minor bug in the caching code, displaying a page that should have
> > been thrown out of the cache. If the server was ever contacted again,
> > a real username and password would have to be typed to access protected
> > pages.
> >
> Unless I misunderstand, this is not correct. I have accessed a
> page w/ netscape, I then gave it some information (filled out a form) and
> submitted it. Upon clicking on submit I was prompted for a UID and
> password. It then submitted the information, and took me to another page
> for the result of the search. Upon hitting the "Back" key I was returned to
> the form with the information typed in (IOW, exactly how it looked before I
> clicked on submit). I could then erase the data in the window (form) and
> enter new data, click on submit, and get the database information, all
> w/o being asked for the password upon submitting the form. I never
> really thought too much about this since the office that I work in is
> accessed by only 3 other people all of whom have access to this
> database. However, it appears that while you would have to submit your
> UID and password if the pages are bookmarked, you would not if it is
> during the same session. If I access a protected document in a session,
> and then go to perhaps yahoo, then minimize my client and go to the
> bathroom anyone can come up to my machine, and just start hitting the
> "Back" button until they get to the page with the form. There is NO
> prompt for a password.
The HTTP auth passwords are cached IN MEMORY, during a single
session. As far as I can tell, every browser does this. They are
not cached on the disk at all.
> I go to a page. The page is a form, say for corporate information or
> proprietary documents. I input the name of the information or document
> for the client to access. Say I fill in the form the word IRS. I hit
> submit and I am prompted for a password (so far ONLY the page w/ the
> form, an unprotected page, is in the cache). I enter my UID and my
> password. I am authenticated, and taken to the protected page with all
> of our companies tax info. So far there are two pages in the cache: the
> original form page (blank), and the protected IRS-info page. Now I click
> on yahoo in my book mark, OR I manually type in the address, or I follow
> a link. Now Yahoo is in the cache, and I am "away" from the server with
> the form and IRS-info-protected page. I have three pages in the cache.
> I perform a search, and browse the web for a while. I then start to hit
> the "Back" button. I am back at yahoo. I hit "Back" again, and I am at
> the IRS-info-protected page, and NO PASSWORD was asked of me. There it
> is. Here's the good part.... I hit "Back" again and I am at the first
> cached page, the form page, with the key-word IRS *STILL* in the form.
> So what do I do? I double-click on the words IRS and enter CIA and hit
> "submit." I am now taken to the CIA-info page, a NON-CACHED PAGE, and I
> am NOT ASKED for a password. So, I am not prompted for a password and am
> taken to a page that is supposed to require it. As long as I can get to
> that form page ion the same session, I can get anything from that form
> w/o needing a password. Now where's our T-Shirts?
True. As stated above, the HTTP auth password is cached for an entire
session of the navigator. It is not stored on disk, or between sessions
as the original poster claimed. When SSL client authentication is
implemented (using digital signatures) we will give the user the option
of requiring their private key password once per session, or on every
operation.
I would strongly suggest that if you care about the security of your
information that you don't ever type your password into someone elses
machine, or a public lab machine that you don't control or know to be
safe.
--Jeff
--
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.
