Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3

• To: dwm@shell.portal.com (David W. Morris)
• Subject: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: Adam Shostack <adam@bwh.harvard.edu>
• Date: Wed, 20 Dec 1995 14:05:47 -0500 (EST)
• Cc: www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.90.951219114524.1820B-100000@jobe.shell.portal.com> from "David W. Morris" at Dec 19, 95 11:21:18 pm

	Most modern OS's have some form of swapping or virtual memory.
Its not a good idea to assume that the contents of a multi megabyte
ram cache won't get to disk.

Adam


Dave Morris wrote:

| The session history is a kind of virtual paper which has the most value if
| the content isn't altered.  After all, if you have a real piece of paper
| on your desk it remains a faithful record unless it is explictly altered.
| The virtual paper of the history should follow the same paradigm w/o respect
| to the protected nature of individual pages. 
| 
| If you accept that fundamental design premise, then it may be possible to
| handle protection of content with some rules like:
| 
| 1. Never save a protected page beyond the scope of a single execution of
|    the UA program.
| 2. Never use DASD for backing store for history purposes for an
|    authorized document. If memory cache space is exhausted, then
|    the history is lost (different UA's could handle error recovery
|    in terms of advising the the user, etc.)

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: "David W. Morris" <dwm@shell.portal.com>

• Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: "David W. Morris" <dwm@shell.portal.com>

• Previous: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Next: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Index(es):
  • Index
  • Thread