Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

Posted by samzenpus on from the out-in-the-open dept.

An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."

27 of 118 comments (clear)

  1. And that my friends by mitcheli · · Score: 3, Interesting

    would be why I have no Internet Cache. Disabled immediately after install. What is also concerning is the myriad of other client side data storage techniques (to include the newer ones with HTML5) Firefox does a pretty good job with plugins and Chrome to some extent as well, but with Apple refusing to allow addons in their Webkit and Microsoft doing whatever it does with IE, this issue is likely to get worse as technology continues to evolve.

    --
    Select from tblFriends where interesting >= 4;
    1. Re:And that my friends by AK+Marc · · Score: 2

      "Their webkit" could be translated as "Safari, Apple's Webkit-based browser." So I don't see your correction as changing the meaning. Maybe because so many here know the correction you made, that only those reading with the "goal" of proving someone wrong would deliberately read it so obtusely.

      --
      Learn to love Alaska
    2. Re:And that my friends by Pope · · Score: 2

      Apple not allowing the what now? http://extensions.apple.com/

      --
      It doesn't mean much now, it's built for the future.
  2. "Despite Using SSL" by Anonymous Coward · · Score: 3, Insightful

    What does SSL have to do with what happens to the data once it's local?

    I understand that most people are clueless, but this is slashdot still, right? I haven't stumbled upon some other site on which to dig up TFA (not that I've read it).

    1. Re:"Despite Using SSL" by Anonymous Coward · · Score: 2, Informative

      As the summary says, browsers were once cautious about writing content received over SSL to the disk cache. The use of SSL provides a hint to the browser that the data is sensitive, but now browsers choose -- despite the use of SSL -- to store the unencrypted data anyway.

    2. Re:"Despite Using SSL" by icebike · · Score: 4, Interesting

      That has never been the standard. And it would have violated several standards if you arbitrarily decided to not cache any ssl delivered data. Ssl was for protection of data in transit, not before or after the transmission is complete. The protection was not intended to outlive the actual connection.

      You are confusing the recommendations for caching proxies with the recommendation for the intended endpoint.

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:"Despite Using SSL" by blueg3 · · Score: 2

      And it would have violated several standards if you arbitrarily decided to not cache any SSL delivered data.

      What part of the standard? Last I knew, you're not required to cache any data, and what data you choose to cache and not cache is up to you, unless the headers tell you otherwise.

  3. Simple by c0lo · · Score: 2

    Make all you sensitive transaction from a live read-only image of the OS.

    ...

    My apologies: I forgot that, in this imperfect world, there are hardware/OS-es which can't be booted from a live image.
    (ducks)

    --
    Questions raise, answers kill. Raise questions to stay alive.
  4. Safari doesn't cache at all by david.emery · · Score: 4, Informative

    From the securityevaluators.com document (2nd reference in the base article): Safari. Apple Safari does not cache HTTPS-delivered content to disk, regardless of any headers sent by the server. ISE tested the mobile version of Safari on an iPad 2, and the HTTPS caching behavior was identical to the desktop version.

  5. Re:Scaremongering by YA_Python_dev · · Score: 2

    A shared computer should not let users see other users' private files (and browser caches are most definitely not world-readable). This is what happens with Android multi-login, Chrome OS and traditional Linux distros. I'm fairly certain the same is also true for Windows and Mac OS X.

    If I temporarily let someone use my computer with my account, I sure as hell keep an eye on what they are doing, because the thing contains stuff about me that's much more sensitive than anything that paypal or my bank will ever know.

    --
    There's a hidden treasure in Python 3.x: __prepare__()
  6. Re:Scaremongering by jkflying · · Score: 2

    If you're not using your computer, you should expect keyloggers and never sign into anything which doesn't have 2-factor authentication.

    --
    Help I am stuck in a signature factory!
  7. This is actually a very bad idea, if true by YA_Python_dev · · Score: 2, Interesting

    This actually decreases security. Browser caching is strictly necessary to make the web work fast, disabling it for HTTPS means discouraging websites from using secure connections for anything where it's not strictly necessary (like money). And $DEITY knows we live in a world where every website should be secure by default. You wouldn't use telnet even for a completely non-sensitive server, so why accept unencrypted HTTP to post on slashdot or anywhere else?

    --
    There's a hidden treasure in Python 3.x: __prepare__()
    1. Re:This is actually a very bad idea, if true by bloodhawk · · Score: 3, Insightful

      The real problem here is the standard is just plain retarded. Even though I hate Apple I think their approach is the lesser evil. The default should be don't cache, web servers should then be able to enable caching if they want to sacrifice some security for performance (assuming the user hasn't explicitly disabled caching). It would be nice to be able to rely on users having well managed machines or the internet being made up of mostly well managed servers but lets face it that aint happening anytime soon in anything but well run enterprises and IT literate end users.

    2. Re:This is actually a very bad idea, if true by anegg · · Score: 4, Insightful

      Note that the claim is that Safari doesn't cache to DISK, not that Safari doesn't cache. I.e., Safara doesn't store information that was deemed sensitive enough to require a secure channel on a long-term (probably unencrypted) storage medium.

  8. Reading fail by wonkey_monkey · · Score: 2, Insightful

    but many of the sites are sending non-standard headers recognized only by Internet Explorer

    Still, you got paid, what do you care?

    --
    systemd is Roko's Basilisk.
    1. Re:Reading fail by wonkey_monkey · · Score: 2

      Most of them do implement the standard ones. That's why they're called standards.

      --
      systemd is Roko's Basilisk.
  9. Interesting second link by Bearhouse · · Score: 4, Interesting

    With a well-written and refreshingly non-partisan review of why and how this happened, showing that, as with many cluster-fsuks, it's the result of a chain of decisions where each seemed sensible at the time.

    Everybody dropped the ball here:
    - website owners & authors too incompetent or lazy to keep abreast of standards and changing conditions,
    - Microsoft for being, well, Microsoft (not really respecting standards),
    - Google (Chrome) & Mozilla for changing the default behaviour of their browsers to store https traffic instead of not, (although this, ironically, is the standard unless the site properly says "do not store"; see point 1.)

    Raises the interesting question; who on earth thought, in this era of increasing bandwidth, that it would be a good idea to store https data locally?

    1. Re:Interesting second link by anegg · · Score: 2

      Part of the problem is that the browser, which should be a tool of the user, has become a surrogate tool of the servers which the user accesses. The more that browsers are called upon to do to offload processing from the server (Java, Javascript, etc.) the less the browser is under the control of the user. For example, reading any major news site, the "other things you may be interested in" links all appear in Explorer and Safari to be simple links, but they actually have complex Javascript that routes your click through "outbrain" for analytic processing... you can turn off Javascript to avoid this, but then many other sites you use will stop working.

  10. Shift-reload every time you switch away by tepples · · Score: 2

    The standards don't *require* you to cache anything.

    But if web browsers were to routinely do the equivalent of a Shift+reload every time the user switches away from and back to a browser tab because there is no cache, web server operators would likely be up in arms over bandwidth "abuse". They'd end up putting in a module to provide an intentionally low-bandwidth experience to users that don't cache, identified by their user agent or by a session cookie.

    1. Re:Shift-reload every time you switch away by jeffmeden · · Score: 2

      The standards don't *require* you to cache anything.

      But if web browsers were to routinely do the equivalent of a Shift+reload every time the user switches away from and back to a browser tab because there is no cache, web server operators would likely be up in arms over bandwidth "abuse". They'd end up putting in a module to provide an intentionally low-bandwidth experience to users that don't cache, identified by their user agent or by a session cookie.

      Ding ding ding! What has happened is the unintended consequence of sites using SSL as a blanket instead of a pinpoint. It used to be that the burden of encryption was only placed on the most sensitive of data, like a banking session or a protected site log-in, so caching it was de facto a bad idea since the user isnt likely to visit those specific pages often, and is never likely to want to see what was there the last time they visited. Now, with CPU cycles so cheap that we might as well encrypt everything (and with more users wanting to see "https://" everywhere they go), using SSL as a signal of pages unworthy of caching is not practical. What should have been done "the right way" in the web sites AND browsers of yore was ignored due to the browsers preferring a non-universal way of handling cache, relieving web sites of the need, and has been undone by websites that dont have the need (encrypting your google searches? come on, they are spying on you anyway) leaving us all in the uncomfortable position of realizing that what was a good idea YEARS ago is still not followed very closely.

  11. Bandwidth bill by tepples · · Score: 2

    Safari doesn't cache at all for HTTPS

    Perhaps this is why certain web sites don't support HTTPS at all: because Safari users would run up their bandwidth bill.

  12. Confirms what I've suspected ... by gstoddart · · Score: 3, Interesting

    This pretty much confirms what we've all known for a long time -- the security of these things is largely written by people who are unqualified to write secure applications, and people who write IE specific stuff write shit code.

    Your financial information is being handled by people who are either lazy or incompetent, and the company is more interested in the spinning, flaming logo than anything like security.

    --
    Lost at C:>. Found at C.
  13. The fail is your monkeyboy. by DaveV1.0 · · Score: 2, Interesting

    Maybe you should try reading the second link from the summary and take a look at the standard heads. What you would find is that the standard is "no-cache". Chrome and Firefox use the non-standard "no-store". But, guess which browser supports three different headers, and the only one to actually support the standard? IE.

    --
    There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
    1. Re:The fail is your monkeyboy. by halltk1983 · · Score: 4, Informative

      http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

      Seems like it's mentioned there to me...

      --
      Watch for Penguins, they eat Apples and throw rocks at Windows.
    2. Re:The fail is your monkeyboy. by operagost · · Score: 2

      No-store is standard and, in this context, would have the same effect as no-cache. Go home, Ballmer, you're drunk.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  14. AES cache by tepples · · Score: 2

    if all this data is cached to disc, if you hardware is EVER compromised... now or in the future... they have it

    Then encrypt the cache with a secret key that changes every time the browser is restarted. A key won't last very long in a powered down system unless the attacker does the highly visible operation of physically freezing the RAM.

  15. HTTPS to avoid session cookie cloning by tepples · · Score: 3, Informative

    It used to be that the burden of encryption was only placed on the most sensitive of data, like a banking session or a protected site log-in [but there are] websites that dont have the need (encrypting your google searches? come on, they are spying on you anyway)

    If you allow users to log in at all but don't encrypt everything, an attacker who can see a user's packets can snoop the user's session cookie and issue requests as that user for several minutes to several hours. The "Firesheep" plug-in, which allowed cloning the Facebook sessions of other users connected to the same wireless network, was the first widely reported incident of this.