Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3

• To: Adam Shostack <adam@bwh.harvard.edu>
• Subject: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: "David W. Morris" <dwm@shell.portal.com>
• Date: Wed, 20 Dec 1995 13:02:52 -0800 (PST)
• cc: www-security@ns2.rutgers.edu
• In-Reply-To: <199512201905.OAA10564@joplin.bwh.harvard.edu>

On Wed, 20 Dec 1995, Adam Shostack wrote:

> 	Most modern OS's have some form of swapping or virtual memory.
> Its not a good idea to assume that the contents of a multi megabyte
> ram cache won't get to disk.

Yup.  One of many reasons I think the bank's security thinking is flawed.
But on the otherhand, one can assume that such swap/page space will be
more difficult to examine, won't be re-used by the browser later to
present the page (outside of the normal virual ram access), and will
be overwritten 'soon' by other data most of the time.

In the end however, to practice safe computing one must be careful where
and how one computes. In terms of what I meant to be my primary point
(differentiation of two motivations for caching in the UA and offering
handling rules to minimize exposure), we don't need a long discussion about
all the ways ones compute experience can be compromised.

Dave Morris

• Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: Adam Shostack <adam@bwh.harvard.edu>

• Previous: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Next: Re: caching protected documents
• Index(es):
  • Index
  • Thread