(Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
Rich Graves
llurch at networking.stanford.edu
Mon Dec 18 19:58:27 PST 1995
Except for the bit about the file not being deleted after quitting
Netscape (which is Bad), this is old news. This is why security-conscious
sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted
form rather than via simple browser authentication.
Even if Netscape did delete the "password cache," anyone with physical
access to your machine could still recover it from disk.
I believe that Microsoft Internet Explorer and other browsers derived from
Mosaic do the same thing.
Netscape et al know that simple browser authentication is of limited
usefulness, which is why we keep trying to commit them to DCE.
-rich
More information about the cypherpunks-legacy
mailing list