Slashdot Mirror

← Back to Stories (view on slashdot.org)

21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache

Posted by samzenpus on from the out-in-the-open dept.

An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."

5 of 118 comments (clear)

  1. Safari doesn't cache at all by david.emery · · Score: 4, Informative

    From the securityevaluators.com document (2nd reference in the base article): Safari. Apple Safari does not cache HTTPS-delivered content to disk, regardless of any headers sent by the server. ISE tested the mobile version of Safari on an iPad 2, and the HTTPS caching behavior was identical to the desktop version.

  2. Re:"Despite Using SSL" by icebike · · Score: 4, Interesting

    That has never been the standard. And it would have violated several standards if you arbitrarily decided to not cache any ssl delivered data. Ssl was for protection of data in transit, not before or after the transmission is complete. The protection was not intended to outlive the actual connection.

    You are confusing the recommendations for caching proxies with the recommendation for the intended endpoint.

    --
    Sig Battery depleted. Reverting to safe mode.
  3. Interesting second link by Bearhouse · · Score: 4, Interesting

    With a well-written and refreshingly non-partisan review of why and how this happened, showing that, as with many cluster-fsuks, it's the result of a chain of decisions where each seemed sensible at the time.

    Everybody dropped the ball here:
    - website owners & authors too incompetent or lazy to keep abreast of standards and changing conditions,
    - Microsoft for being, well, Microsoft (not really respecting standards),
    - Google (Chrome) & Mozilla for changing the default behaviour of their browsers to store https traffic instead of not, (although this, ironically, is the standard unless the site properly says "do not store"; see point 1.)

    Raises the interesting question; who on earth thought, in this era of increasing bandwidth, that it would be a good idea to store https data locally?

  4. Re:This is actually a very bad idea, if true by anegg · · Score: 4, Insightful

    Note that the claim is that Safari doesn't cache to DISK, not that Safari doesn't cache. I.e., Safara doesn't store information that was deemed sensitive enough to require a secure channel on a long-term (probably unencrypted) storage medium.

  5. Re:The fail is your monkeyboy. by halltk1983 · · Score: 4, Informative

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2

    Seems like it's mentioned there to me...

    --
    Watch for Penguins, they eat Apples and throw rocks at Windows.