[1317] in WWW Security List Archive
Re: caching protected documents
daemon@ATHENA.MIT.EDU (Brain21)
Thu Dec 21 16:39:53 1995
Date: Thu, 21 Dec 1995 13:38:09 -0500 (EST)
From: Brain21 <brain21@montag33.residence.gatech.edu>
To: Jeff Weinstein <jsw@netscape.com>
cc: www-security@ns1.rutgers.edu, wwilson@umich.edu
In-Reply-To: <30D915B2.679E@netscape.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 21 Dec 1995, Jeff Weinstein wrote:
> The HTTP auth passwords are cached IN MEMORY, during a single
> session. As far as I can tell, every browser does this. They are
> not cached on the disk at all.
>
> True. As stated above, the HTTP auth password is cached for an entire
> session of the navigator. It is not stored on disk, or between sessions
> as the original poster claimed. When SSL client authentication is
> implemented (using digital signatures) we will give the user the option
> of requiring their private key password once per session, or on every
> operation.
Why not do this now? (well, the next version). What is the rationale of
caching the UID and passwords into memory, and then automatically sending
them to the authentication request on protected pages? Does this not
somewhat defeat the purpose?
> I would strongly suggest that if you care about the security of your
> information that you don't ever type your password into someone elses
> machine, or a public lab machine that you don't control or know to be
> safe.
Yes, that is obvious to me, and most on this list, but in "corporate
America" your average Joe User who has access to sensitive info does not
necessarily know this, and may assume that since s/he had to give a UID
and passwd the first time that it would be required on subsequent
attempts. You *have* to remember that your average joe internet user
does not know anything about security. Your average joe still wants to
use his wife's name for a password. In making the above statement you
are assuming that everyone is as security conscious as we are. That is
simply not true and the above statement ignores probably MOST of
Netscapes customers.
Brain21
