[Previous] [Next] [Index]
[Thread]
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
Most modern OS's have some form of swapping or virtual memory.
Its not a good idea to assume that the contents of a multi megabyte
ram cache won't get to disk.
Adam
Dave Morris wrote:
| The session history is a kind of virtual paper which has the most value if
| the content isn't altered. After all, if you have a real piece of paper
| on your desk it remains a faithful record unless it is explictly altered.
| The virtual paper of the history should follow the same paradigm w/o respect
| to the protected nature of individual pages.
|
| If you accept that fundamental design premise, then it may be possible to
| handle protection of content with some rules like:
|
| 1. Never save a protected page beyond the scope of a single execution of
| the UA program.
| 2. Never use DASD for backing store for history purposes for an
| authorized document. If memory cache space is exhausted, then
| the history is lost (different UA's could handle error recovery
| in terms of advising the the user, etc.)
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Follow-Ups:
References: