[3493] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (David W. Morris)
Fri Nov 8 03:50:20 1996
Date: Thu, 7 Nov 1996 23:13:34 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: David Tauzell <tauzell@math.umn.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.GSO.3.95.961107113549.9202C-100000@birch.math.umn.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Thu, 7 Nov 1996, David Tauzell wrote:
> In most browsers and OS's the password field can usually be copied and
> pasted to get at the actuall text.
I'm think 'most' would be incorrect ... the dominant browser in terms
of usage on W/95 and Unix (Linux) does not reveal the content of
a hidden field via copy/paste. On Unix the ***s are copied, on W/95
the field simply can't be copied.
If it works that way on any browser, it should be reported as a
security concern!
Which is not to say that input type=password is a good solution where
security is important ... unless the form is submitted encrypted.
Dave Morris
