Netscape MagicCookie and passwords: a reply from Netscape

Regarding yesterday's item on Netscape saving passwords in plain text in the MagicCookie file, Netscape's Steve Dagley replies: I believe the author of the report at the Macintosh Security Site fails to understand cookies. Yes, you might have a plain text password stored in the cookie file but only if the site setting the cookie specifically stored it that way (we just save what the site requests). Most sites are more intelligent about what they store in a cookie, especially if it is a site password (e.g., none of my 250 cookies are plain text passwords). If users do find plain text passwords stored in their cookie file they should complain to the web site setting the cookie. P.S. Encrypting the cookie file really isn't an option as it would break the ability to see exactly what was in your cookie file with a simple text editor and the many 3rd party utilities that exist to manipulate cookies