W3C home > Mailing lists > Public > www-html@w3.org > April 2000

Re: Add timeouts for security to HTML

From: Pd Rippe <casper@novacentral.com>
Date: Wed, 19 Apr 2000 21:07:54 -0400
Message-ID: <38FE586A.3A445172@novacentral.com>
To: Sameer Ajmani <ajmani@chord.lcs.mit.edu>
CC: www-html@w3.org
I think that your idea would be very usefull, as i am creating an secure
site which includes ecommerce...and there is nothing stopping someone
from just looking through a browsers cashe...

Although you said that it could gray it out, and keep it encrypted, I
think it would seem more logical if it just deleted the info, as it
wouldnt be able to be brought back anyway, because someone can use that
to their advantage

Sameer Ajmani wrote:
> 
> I have a proposal for a feature to add to HTML; my apologies if it has
> been proposed before:
> 
> Many sites have incorporated authentication mechanisms to guard clients'
> private data.  The servers also time out client sessions to prevent (in
> theory) the wrong people from using a client's browser session to access
> private data.  Unfortunately, this doesn't data on the screen or remove
> data from the client's cache.
> 
> I suggest an HTML tag that specifies when an object should "timeout":
> the browser can "gray out" the classified object when the specified
> amount of time has passed since the page was loaded from the server.
> Alternately, the server could specify and expiration date for the
> object.  The browser should also gray out classified objects on pages in
> cache.
> 
> I'm not sure if such a scheme would be accepted as a feature or an
> annoyance, but it should improve security.  Of course, this requires
> that classified data be encrypted when stored on disk (and possibly in
> memory as well).  Unfortunately, I'm not familiar enough with XHTML to
> suggest a syntax, but it may be possible to use its event model to
> schedule timeouts.
> 
> I'd appreciate any and all comments, and please let me know if this has
> been suggested before (I checked the archives and didn;t find much).
> 
> Thanks,
> --Sameer Ajmani
> MIT Lab for Com Sci
> ajmani@mit.edu
Received on Wednesday, 19 April 2000 21:09:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:43 GMT