WebApp Sec mailing list archives

Re: Is disabling browser caching secure?

From: Pilon Mntry <pilonmntry () yahoo com>
Date: Tue, 18 Apr 2006 22:54:51 -0700 (PDT)


For a shared-computing environment, disabling browser
cache (including ssl pages, which IE doesn't do by
default) should be helpful.

For a privately owned machine, again, it might be
helpful not to cache pages against spyware risk.

But, yes, a custom browser might easily by-pass such a
control (precaution). 

That aside, a poisoned browser (malicious bho on IE,
for example, or an extension in FF) may store visited
pages even if its caching ability is disabled.

-pilon

--- smith.norton () gmail com wrote:

Many articles on the net speaks of disabling browser
caching.

I don't feel its secure because even if a browser
faithfully follows the protocol, a programmer might
write a small browser of his own which caches all
pages.

What do others say?

-------------------------------------------------------------------------

This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application
Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks
with real-world 
examples of recent hacking methods such as: SQL
Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl

--------------------------------------------------------------------------



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Is disabling browser caching secure? smith . norton (Apr 18)
- Re: Is disabling browser caching secure? Kyle Maxwell (Apr 19)
- Re: Is disabling browser caching secure? Pilon Mntry (Apr 19)
- Re: Is disabling browser caching secure? Rogan Dawes (Apr 19)
- Re: Is disabling browser caching secure? lucip (Apr 19)
- Re: Is disabling browser caching secure? Reid Nichol (Apr 19)