[4383] in WWW Security List Archive
Removing info from a PC cache
daemon@ATHENA.MIT.EDU (HEROLD.BECKY)
Wed Feb 12 13:47:52 1997
Date: Wed, 12 Beb 97 10:00:48 CDT
To: <www-security@ns2.rutgers.edu>
From: "HEROLD.BECKY" <Herold.Becky@principal.com>
Errors-To: owner-www-security@ns2.rutgers.edu
When using the "back" button in such browsers as Netscape Navigator and
Internet Explorer, the information for the previous pages are re-displayed.
When setting up an Internet site that requests ids and passwords/PINs for
commerce transactions, this creates the risk of having others use the PC to
get to the authenticating person's confidential info when the person does not
exit the browser before leaving the PC.
Considering all the public PCs being used for Internet access (e.g., in
libraries, book stores, coffee houses, etc.) this seems like it would be
a big concern for any company planning to offer Internet commerce
capabilities.
I am just getting into web/html issues such as this, so please excuse if this
is a very apparent or obvious risk to resolve...
How can the information the end-user provides on Internet pages be "erased" so
that other people using the same PC can not get to the information by going
back to the page? (Erased "automatically", and not depending upon the
end-user to exit.) It's my understanding that using SSL does not resolve this
issue since it just encrypts the data for transmission, not in the PC cache
(please correct me if I'm wrong about this). Even if the PIN/password is only
displayed as *'s, the info would still be available in cache to be re-entered
at the screen, right?
Thanks in advance for your help!!
Rebecca Herold, Sr. Systems Analyst
Information Protection
The Principal Financial Group
herold.becky@principal.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Any opinions expressed in this message are not necessarily those of my
employer.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
