From: Rich Graves <llurch@networking.stanford.edu>
Date: Tue, 19 Dec 1995 11:58:27 +0800
To: trei@process.com>
Subject: Re: (Fwd) SECURITY ALERT: Password protection bug in Netscape 2.0b
In-Reply-To: <9512190026.AA15461@toad.com>
Message-ID: <Pine.ULT.3.91.951218173620.29934E-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


Except for the bit about the file not being deleted after quitting
Netscape (which is Bad), this is old news. This is why security-conscious
sites like banking.wellsfargo.com ask for passwords in an SSL-encrypted
form rather than via simple browser authentication. 

Even if Netscape did delete the "password cache," anyone with physical 
access to your machine could still recover it from disk.

I believe that Microsoft Internet Explorer and other browsers derived from
Mosaic do the same thing. 

Netscape et al know that simple browser authentication is of limited 
usefulness, which is why we keep trying to commit them to DCE.

-rich