Yes, Netscape caches passwords. --- begin forwarded text From: support@sfnb.com Date: Fri, 29 Mar 96 17:27:02 -0500 Sender: <support@sfnb.com> Apparently-To: bankusers@sfnb.com Dear Security First customer: With the release of Netscape Navigator 2.0, Netscape enhanced their caching mechanism to improve the browser's performance. As a result of this enhancement, the Navigator was storing Security First username and password information when entered in cleartext on a customer's local hard drive in a file called fat.db. Therefore, if a knowledgeable and malicious person had access to a Security First customer's computer, they could have potentially stolen that customer's username and password. To our knowledge, this vulnerability was NOT exploited by anyone. We were made aware of this fact in an e-mail to the bank from Lucky Green, a frequent contributor to the cypherpunks mailing list. Immediately upon learning of this situation, Five Paces engineers worked closely with Netscape engineers and fixed the problem. To prevent caching of the username and password, we changed the login script to include "pragma: no-cache" in the http header. This command instructs the browser not to cache any information from this page on the local hard drive. Please note this was not specific to Security First. Any Web site that requests a username and password in an onscreen form is potentially vulnerable to this cleartext caching if the "pragma: no-cache" header is not used. In order to ensure that your username and password have been cleared from your cache, bank customers should go to the Options dropdown menu in the Navigator, and select Network, then Cache, and then click on the "Clear Disk Cache Now" button. We know that software involving Internet commerce is changing at a rapid pace, and we will continue to monitor all changes that might affect our customers. We would like to thank Lucky and also Jeff Weinstein of Netscape for bringing this to our attention. The Internet community benefits when we all work together to make it a better network. If you have any questions, please do not hesitate to e-mail me at karlin@sfnb.com, or our customer service staff at support@sfnb.com. Sincerely, Michael Karlin President & COO Security First Network Bank ================================================================ Michael S. Karlin Security First Network Bank 2957 Clairmont Road 404.679.3201 Suite 280 404.679.3210 Fax Atlanta, GA 30329 karlin@sfnb.com --- end forwarded text -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.