[2805] in WWW Security List Archive
Re: A problem with Navigator's cache
daemon@ATHENA.MIT.EDU (Alvaro de Albuquerque Arraes)
Mon Aug 26 18:55:46 1996
Date: Mon, 26 Aug 1996 17:03:26 -0300
To: www-security@ns2.rutgers.edu
From: alvaro@ieav.cta.br (Alvaro de Albuquerque Arraes)
Errors-To: owner-www-security@ns2.rutgers.edu
> Ian Dunkin <imd1707@ggr.co.uk> wrote:
>At the risk of interrupting the `uns*bscr*be' messages, here's a little
>problem with local caching:
>
>Some of our users share PCs. Some servers on our internal Web hold
>documents whose access requires authentication.
>
>When a PC Navigator user attempts to access such a page, and
>authenticates successfully, the document is retrieved and displayed, and
>cached to their local disk. This user now switches the PC off, and
>leaves. Another user switches the PC back on, and fires up Navigator.
>She attempts to access the same document. Navigator pulls it back for
>her from the cache, without authentication.
>
>How might this be addressed?
>
If you have people with different clearenses using the same equipment,
there's something wrong. You should make them use different equipment. The
problem is not only the cache. What if the high clearense guy saves some
information contained in the page with confidential information, believing
what he saved was not so secret? It will be free for everyone to access...
A different approach would be using some kind of software (or OS, maybe NT
will do it) that protects directories. Protecting one user's directory from
the others and protecting system directories from the users (e.g., the cache
directory), and protecting the Navigator's setup file from the users.
I have used a nice software (CURIO for DOS & Windows) that would do it. It
is able to isolate the users from one another and protect directories in a
way that only the software that uses the directory has access to it, but the
user not. It is even able to avoid users from changing the setup of the
software they use. Look at http://www.riosoft.softex.br/~modulo/
(unfortunatly the homepage is in Portuguese..)
Regards
###########################################
# Alvaro de Albuquerque Arraes #
# Sao Jose dos Campos - SP - Brasil #
# Instituto de Estudos Avancados #
# Subdivisao de Informatica #
# InterNet: alvaro@ieav.cta.br #
# Tel.:(0123) 41-3033 r.:323/373 #
# FAX: (0123) 41-4277 #
###########################################
