W3C home > Mailing lists > Public > public-usable-authentication@w3.org > September 2006

Re: Comprehensive list - known Threat and Protection table

From: George Staikos <staikos@kde.org>
Date: Thu, 28 Sep 2006 09:58:33 -0400
To: "James A. Donald" <jamesd@echeque.com>
Cc: public-usable-authentication@w3.org
Message-Id: <200609280958.33938.staikos@kde.org>

On Tuesday 26 September 2006 20:51, James A. Donald wrote:
> > > I mean - by way of example - imagine you walk up to a free public
> > > internet terminal in an airport - then click the "back" button on the
> > > browser a few times.  You get all kinds of fun stuff - personal
> > > emails, bank statements, corporate intranets, etc etc...
> George Staikos wrote:
> >   I don't think this is a solvable problem.  It's I/O error.  I could
> > leave my wallet on the cashier counter and lose all my money and credit
> > card/SSN/etc numbers too.
> But you know you are leaving your wallet on the cashier counter.
> The display of personal information should require a login, and a login
> should result in an icon or page somewhere on the screen that displays a
> logout button.  And if that page or icon goes away, you should be logged
> out.  Alternatively there should be an icon on the desktop showing that
> you are currently logged in to whatever, and you can click on that icon
> to logout all.

  Basically what you are talking about is a floating login token.  This is 
often achieved with a cookie but it doesn't clear the cache necessarily.  I 
would say this is more of an implementation bug in the browser and/or the 
site when this happens.  When I log out of my bank site, I am logged out, 
period.  Perhaps there are some memory buffers with content but if someone is 
examining my memory space I have worse problems.

George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
Received on Thursday, 28 September 2006 13:59:00 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC