[45612] in Cypherpunks
Re: (Fwd) SECURITY ALERT: Password protection bug in Netsca
daemon@ATHENA.MIT.EDU (Peter Trei)
Tue Dec 19 09:51:56 1995
From: "Peter Trei" <trei@process.com>
To: jsw@netscape.com, cypherpunks@toad.com
Date: Tue, 19 Dec 1995 09:38:25 -6
Reply-To: trei@process.com
Jeff writes:
> This report is mostly bogus. Netscape does not, and never
> has stored http auth passwords in files on your disk. However
> we do cache documents from servers that use http auth.
> In this case the user had their preferences set to check the
> host site for updated content "once per session". There is
> a bug, which we are fixing before 2.0 ships, that if the
> auth fails the document should be removed from the cache but
> was not. If the user had set their cache checking to "never",
> then if the document is in the cache, it will always be shown to
> the user, since no connection is made to the server.
> Content providers who don't want their web pages cached
> should use the 'Pragma: no-cache' http header. This will
> tell the navigator to not save the document in the disk cache.
>
> --Jeff
Thanks for clearing that up - I see you've already been over to
www-security. The fast response Netscape (and in particular,
you yourself) make to reported problems is something I'm very
pleased to see.
Peter Trei
trei@process.com
