WebApp Sec mailing list archives
Re: Is disabling browser caching secure?
From: "Kyle Maxwell" <krmaxwell () gmail com>
Date: Wed, 19 Apr 2006 16:07:41 -0500
On 18 Apr 2006 15:59:46 -0000, smith.norton () gmail com <smith.norton () gmail com> wrote:
Many articles on the net speaks of disabling browser caching. I don't feel its secure because even if a browser faithfully follows the protocol, a programmer might write a small browser of his own which caches all pages. What do others say?
Security is relative and has to take into account the threat. Specifically, are you just trying to prevent a user's personal data from being cached on a shared computer? Then you'll take a giant step by disabling browser caching. If you're trying to prevent a different threat, then you need to account properly for that. What you're trying to do is reduce the risk; sheer elimination is frequently impossible or at least infeasible. In other words, raise the bar for a successful attack given the value of the data you're protecting and the resources you have available to do so. -- Kyle Maxwell http://caffeinatedsecurity.com [krmaxwell () gmail com] ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Is disabling browser caching secure? smith . norton (Apr 18)
- Re: Is disabling browser caching secure? Kyle Maxwell (Apr 19)
- Re: Is disabling browser caching secure? Pilon Mntry (Apr 19)
- Re: Is disabling browser caching secure? Rogan Dawes (Apr 19)
- Re: Is disabling browser caching secure? lucip (Apr 19)
- Re: Is disabling browser caching secure? Reid Nichol (Apr 19)