Abstract
In a survey of 30 sites that serve sensitive content over an HTTPS-protected connection, we found that over 70 % of them failed to appropriately prevent disk caching, and left unencrypted sensitive content behind on end-users’ machines, at risk for later exposure. Moreover, over half of the sites that failed to prevent disk caching appeared to have attempted to do so using outdated, non-standard, or erroneous methods, some of which failed entirely, while others were only successful at preventing disk caching in certain browsers, but not all.
In an effort to explain this wide-spread failure, our research has uncovered drastically inconsistent behavior across browsers, inconsistent support of standard and non-standard anti-disk caching directives, and even inconsistent and incorrect recommendations from authoritative sources in the security community. Through this history we show that web developers are not solely to blame, and that web browser developers, web server developers, security professionals and authors of online sources, and perhaps even the standards bodies should share in this failure.
In this paper, we identify the disk caching behaviors of all major browsers, and describe how to reliably prevent disk caching for each of them. We present the results of our site survey, demonstrating wide-spread failures to prevent disk caching of sensitive data. We introduce a tool for Firefox users to reliably prevent disk caching of HTTPS protected content, despite failures by the web application, and we provide an online tool to help web developers identify how to reliably prevent disk caching across multiple browsers. Lastly, we make recommendations to the various parties with a hand in this failure on how to address these issues going forward.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The current RFC 2616 was published in 1999, but obsoleted this older RFC 2068 which already defined Cache-control: no store.
- 2.
- 3.
This page [13] shows that browser.cache.disk_cache_ssl was set to false in revision 1.1 when Netscape first released source.
- 4.
References
Barish, G., Obraczke, K.: World Wide Web caching: trends and techniques. Commun. Mag. 38(5), 178–184 (2000)
Microsoft: How to prevent caching in Internet Explorer, Microsoft. http://support.microsoft.com/kb/234067. Accessed 26 July 2013
Appel, S.: Secure sockets layer discussion list FAQ v1.1.1, faqs.org, 16 November 1998. http://www.faqs.org/faqs/computer-security/ssl-talk-faq/. Accessed 26 July 2013
Mozilla: Firefox ignores “Cache-control: public” header on TLS connections, Mozilla, 19 July 2006. https://bugzilla.mozilla.org/show_bug.cgi?id=345181. Accessed 26 July 2013
Microsoft: Cannot open files on secure servers, Microsoft. http://support.microsoft.com/kb/254324. Accessed 26 July 2013
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1 (RFC 2068), IETF (1997)
Schillace, S.: Default https access for Gmail, Google, 12 January 2010. http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html. Accessed 25 July 2013
Rice, A.: Keeping users safe, Facebook, 13 May 2011. https://developers.facebook.com/blog/post/499/. Accessed 26 July 2013
Mozilla: Should cache SSL content to disk even without Cache-Conrol: public, Mozilla, 30 November 2009. https://bugzilla.mozilla.org/show_bug.cgi?id=531801. Accessed 26 July 2013
Everyone: Usage share of web browsers, Wikipedia. http://en.wikipedia.org/wiki/Browser_market_share. Accessed 25 July 2013
Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext transfer protocol - HTTP/1.0 (RFC 1945), IETF (1996)
The Apache Software Foundation: Revision 966055, The Apache Software Foundation, 20 July 2010. http://svn.apache.org/viewvc?view=revision&revision=966055. Accessed 26 July 2013
Microsoft: “Pragma: No-cache” tag may not prevent page from being cached, Microsoft. http://support.microsoft.com/kb/222064. Accessed 26 July 2013
Nottingham, M.: Caching tutorial for web authors and webmasters, 06 May 2013. http://www.mnot.net/cache_docs. Accessed 26 July 2013
OWASP: OWASP Application Security FAQ, OWASP, 22 April 2007. https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Am_I_totally_safe_with_these_directives.3F. Accessed 26 July 2013
Ponemon Institute: The billion dollar lost laptop problem, Ponemon Institute, (2010)
Lookout: Lookout projects lost and stolen phones could cost U.S. consumers over $30 billion in 2012, 21 March 2012
Chromium: Contents of /releases/1.0.154.53/src/net/http/http_cache.cc, Chromium, 26 July 2008. http://src.chromium.org/viewvc/chrome/releases/1.0.154.53/src/net/http/http_cache.cc?revision=14. Accessed 26 July 2013
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix A
Appendix A
Check image from PNC.
Full credit report from Equifax.
Prescription information from Argus
Credit card account statement from Boscov’s
Paystub from ADP.
Account information from Treasury Direct.
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Bono, S., Thompson, J. (2014). Industry-Wide Misunderstandings of HTTPS. In: Lee, HS., Han, DG. (eds) Information Security and Cryptology -- ICISC 2013. ICISC 2013. Lecture Notes in Computer Science(), vol 8565. Springer, Cham. https://doi.org/10.1007/978-3-319-12160-4_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-12160-4_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12159-8
Online ISBN: 978-3-319-12160-4
eBook Packages: Computer ScienceComputer Science (R0)