Bug compromises Navigator
Netscape confirms a problem with Navigator 4.5 that could make the browser less secure for users on shared computers.
The problem has to do with the way Navigator, the Web-browsing component of Netscape's recently released Communicator 4.5 Web software suite, negotiates an HTML caching meta tag.
Caching is a method of saving Web files locally so that they do not have to be transmitted over the network every time a page is requested. Meta tags describe the content of a page or provide specific instructions on how to treat it.
The meta tag in this instance tells the server not to cache the page. While Navigator 4.5 hews to the letter of the HTML law in not caching the specified information to the hard disk cache, it does copy the information to the memory cache, according to Netscape. Previous versions of Navigator, along with Microsoft's Internet Explorer, do not.
The problem occurs only when Navigator 4.5 accesses a site secured with the Secure Sockets Layer encryption standard.
The glitch poses a potential security risk to users in computer clusters such as those common in universities or libraries. In the worst-case scenario, a person could enter a credit card number, or a user name and password, and a subsequent user could click back to the same page where that sensitive information has been preserved in the memory cache.
The bug was discovered by Yale University support engineer Peter Snow.
"Previously, if the Web site used the 'no-cache' tag, any information that you entered into the form would not be cached--when you returned to the page, the fields on the form would be empty," Snow said. "With 4.5, the browser is ignoring these tags--ironically, only on secure Web pages.
Navigator product manager John Gable downplayed the seriousness of the problem, noting that it only affects users sharing a computer and accessing secure pages that utilize the "no-cache" tag. Gable said Netscape would post a workaround recommending that users restart the browser following sessions on shared computers, or that they clear the memory cache under the "Preferences" menu after entering sensitive information.
Gable said that content providers can avoid the problem by placing the meta tag in the HTML header rather than in the contents of the HTML file. He added that users of a shared version of Communicator could avoid the problem by using individual profiles.
"I think it's fair to call it a behavior change from previous versions, and maybe a bug," Gable said.
Netscape will correct the problem in a subsequent release of the product.