Yes, Netscape caches passwords. --- begin forwarded text From: support@sfnb.com Date: Fri, 29 Mar 96 17:27:02 -0500 Sender: <support@sfnb.com> Apparently-To: bankusers@sfnb.com Dear Security First customer: With the release of Netscape Navigator 2.0, Netscape enhanced their caching mechanism to improve the browser's performance. As a result of this enhancement, the Navigator was storing Security First username and password information when entered in cleartext on a customer's local hard drive in a file called fat.db. Therefore, if a knowledgeable and malicious person had access to a Security First customer's computer, they could have potentially stolen that customer's username and password. To our knowledge, this vulnerability was NOT exploited by anyone. We were made aware of this fact in an e-mail to the bank from Lucky Green, a frequent contributor to the cypherpunks mailing list. Immediately upon learning of this situation, Five Paces engineers worked closely with Netscape engineers and fixed the problem. To prevent caching of the username and password, we changed the login script to include "pragma: no-cache" in the http header. This command instructs the browser not to cache any information from this page on the local hard drive. Please note this was not specific to Security First. Any Web site that requests a username and password in an onscreen form is potentially vulnerable to this cleartext caching if the "pragma: no-cache" header is not used. In order to ensure that your username and password have been cleared from your cache, bank customers should go to the Options dropdown menu in the Navigator, and select Network, then Cache, and then click on the "Clear Disk Cache Now" button. We know that software involving Internet commerce is changing at a rapid pace, and we will continue to monitor all changes that might affect our customers. We would like to thank Lucky and also Jeff Weinstein of Netscape for bringing this to our attention. The Internet community benefits when we all work together to make it a better network. If you have any questions, please do not hesitate to e-mail me at karlin@sfnb.com, or our customer service staff at support@sfnb.com. Sincerely, Michael Karlin President & COO Security First Network Bank ================================================================ Michael S. Karlin Security First Network Bank 2957 Clairmont Road 404.679.3201 Suite 280 404.679.3210 Fax Atlanta, GA 30329 karlin@sfnb.com --- end forwarded text -- Lucky Green <mailto:shamrock@netcom.com> PGP encrypted mail preferred.
Lucky Green wrote:
Yes, Netscape caches passwords.
[ forwarded message from sfnb deleted ]
The problem is that form post data was being used as part of the database key for storing and accessing form posts in our cache. The current work around for this problem is to use the 'pragma: no-cache' HTTP header. I just sat down with the responsible engineer and helped him fix this. The fix will be in our next beta (marketing name of Atlas Preview Release 2, user-agent of Mozilla/3.0b3). This next beta will also include several other security/privacy related features/preferences: 1) Preference to enable sending of email address for anon ftp password. The 2.0 release always sends "mozilla@" as the anon ftp password, to protect the privacy of our users. We are now giving the user the ability to enable sending of their e-mail address if they choose. 2) Warning dialog on "mailto:" form posts. The user will be warned that the form submission is via e-mail and will be given the opportunity to cancel the operation. The warning can be turned off via a preference. 3) There will be an option to enable/disable disk caching of documents retrieved over an SSL connection. The current (2.01) behaviour is to always cache such documents in the absence of the "Pragma: no-cache" header. The new option will default to not caching SSL-fetched documents, but will allow the user to enable caching if they desire. This option will not effect caching of documents retrieve in the clear via un-encrypted http (which can be disabled by turning off the disk cache). 4) Dialog for cookie acceptance. There will be an option to enable a dialog that will be displayed whenever you are sent an HTTP cookie. This dialog will allow you to discard the cookie. 5) You will be able to disable/enable SSL2 and SSL3, and the specific cipher-suites. For example, if you use the US-domestic version of the navigator, you can turn off the export ciphers to ensure that you never send any data over SSL using 40-bit secret keys. I look forward to any feedback people may have on these new options once the new beta is out. Sorry, but I can't tell you the exact date yet... --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
This next beta will also include several other security/privacy related features/preferences:
2) Warning dialog on "mailto:" form posts
Also add a warning dialog on any form post that includes a file upload. This will prevent any re-occurance of the JavaScript bug I was about to exploit in 2.01 that let code upload files without the user's knowledge. (That particular bug is fixed in 3.0b2). John
participants (3)
-
Jeff Weinstein -
John Robert LoVerso -
shamrock@netcom.com