[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b

To: [email protected], Peter Trei <[email protected]>
Subject: Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
From: Rich Graves <[email protected]>
Date: Mon, 18 Dec 1995 17:46:08 -0800 (PST)
Cc: Jimmy Hoffa <[email protected]>
In-Reply-To: <[email protected]>
Sender: [email protected]

Except for the bit about the file not being deleted after quitting
Netscape (which is Bad), this is old news. This is why security-conscious
sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted
form rather than via simple browser authentication. 

Even if Netscape did delete the "password cache," anyone with physical 
access to your machine could still recover it from disk.

I believe that Microsoft Internet Explorer and other browsers derived from
Mosaic do the same thing. 

Netscape et al know that simple browser authentication is of limited 
usefulness, which is why we keep trying to commit them to DCE.

-rich

References:
- (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
  - From: "Peter Trei" <[email protected]>

Prev by Date: No Subject
Next by Date: Java and timing info - second attempt
Prev by thread: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Next by thread: Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Index(es):
- Date
- Thread