Re: Java/Netscape security holes: hole du jour and summary

• To: www-security <www-security@ns2.rutgers.edu>
• Subject: Re: Java/Netscape security holes: hole du jour and summary
• From: Jeff Weinstein <jsw@netscape.com>
• Date: Sat, 04 May 1996 16:44:51 -0700
• Organization: Netscape Communications Corp.
• References: <cjwoods@paladin.com> <318A4147.BC8@cup.hp.com>
• Reply-To: jsw@netscape.com

Gene Ingram wrote:
> Their redesign surprised me, when downloading the LATEST Atlas beta, and I
> wondered what ELSE they changed.  Well here's WHAT ELSE:  When applying for
> a credit card using a secure server at http://www.bofa.com, I was not
> allowed into the area where it allowed me to complete my application (a
> secured area).  It gave me the error that the socket was already in use!  I
> have NEVER had that problem before when logging onto a secured server!
> HERE IS HOW I FIXED THE PROBLEM:
> 
>   Under ``Network'' preferences, I had to toggle the switch
>   ``Allow Persistent Caching of Pages Retrieved Through SSL''
>   under the ``Cache'' tab.  Isn't that rich.  :-)
> 
> So there we have it, things have changed in more ways than may be apparent
> on the surface.  I'm sure this ``persistent caching'' thing is a security
> enhancement, and would appreciate it if someone could explain why it was
> added.  It was only by accident that I discovered that the ``socket in
> use'' error would prevent me from entering SOME secured sites (but not all,
> as I was able to fill out a secured application on another server before
> enabling ``Persistent Caching'' under ``Network'' preferences, ``Cache''
> section.) I'm puzzled as to why ``Persistent Caching'' is needed in some
> secured-server instances but not in others.

  This is why we do betas.  You may have found a bug.  When I connect
to the SSL server at bofa I don't get the socket in use problem that
you are referring to.  Perhaps you could give me some more information
such as what platform/operating system you are running on, and a URL
that can be used to demonstrate the problem.  Having caching disabled
for SSL pages should not effect your ability to connect to a server,
an if it is, then there is a bug.  The reason the option was added
is that some people want the performance benefits of caching for encrypted
documents, while others do not want the documents stored in their
disk cache.  The fact that different people want different behaviour
caused us to add an option.

> Like John LoVerso, I *don't think* JavaScript belongs in ``languages''
> either.  My question remains, were these toggles moved out of ``Security''
> because Netscape no longer considers them a security issue.

  There are many reasons why you might want to turn off javascript, and
only one is related to security.  For example if you want to stop those
annoying messages from scrolling through your status bar.

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
jsw@netscape.com - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.

• Re: Java/Netscape security holes: hole du jour and summary
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>

• From:
• Re: Java/Netscape security holes: hole du jour and summary
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>

• Previous: Re: Your Message Sent on Thu, 2 May 1996 23:32:41 -0400
• Next: Re: Java/Netscape security holes: hole du jour and summary
• Index(es):
  • Index
  • Thread