From: "Peter Trei" <trei@process.com>
Date: Tue, 19 Dec 95 06:32:17 PST
To: cypherpunks@toad.com
Subject: Re: (Fwd) SECURITY ALERT: Password protection bug in Netsca
Message-ID: <9512191432.AA28817@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


Jeff writes:
> This report is mostly bogus.  Netscape does not, and never
> has stored http auth passwords in files on your disk.  However
> we do cache documents from servers that use http auth.
> In this case the user had their preferences set to check the
> host site for updated content "once per session".  There is
> a bug, which we are fixing before 2.0 ships, that if the
> auth fails the document should be removed from the cache but
> was not. If the user had set their cache checking to "never",
> then if the document is in the cache, it will always be shown to
> the user, since no connection is made to the server.
 
>   Content providers who don't want their web pages cached
> should use the 'Pragma: no-cache' http header.  This will
> tell the navigator to not save the document in the disk cache.
> 
> 	--Jeff

Thanks for clearing that up - I see you've already been over to 
www-security. The fast response Netscape (and in particular, 
you yourself) make to reported problems is something I'm very
pleased to see.

Peter Trei
trei@process.com