Presentation is loading. Please wait.

Presentation is loading. Please wait.

C.R.E.A.M. – Cache Rules Evidently Ambiguous, Misunderstood Presented by JD Nir Written by Jacob Thompson and Stephen Bono.

Published byMaritza Heslep Modified over 9 years ago

Similar presentations

Presentation on theme: "C.R.E.A.M. – Cache Rules Evidently Ambiguous, Misunderstood Presented by JD Nir Written by Jacob Thompson and Stephen Bono."— Presentation transcript:

1

2 C.R.E.A.M. – Cache Rules Evidently Ambiguous, Misunderstood Presented by JD Nir jnir@securityevaluators.com Written by Jacob Thompson and Stephen Bono Independent Security Evaluators

3 About ISE We are: – Computer Scientists – Ethical Hackers Our customers are: – Fortune 500 enterprises – Entertainment, security software, healthcare

4 Overview Caching and HTTPS 21 of 30 HTTPS sites left sensitive information on disk Ambiguity – Disk caching policies have never been consistent across all browsers – Cache policies have changed recently Misunderstandings among developers and others

5 Caching Accessing data over the internet is slow Some resources are accessed frequently Data can be cached – stored on a hard drive for faster access

6 HTTPS HTTP data can be intercepted and read To protect sensitive data, HTTPS encrypts communication

7 Caching HTTPS data HTTPS is slower than HTTP, so data is usually sensitive Storing sensitive data to disk is a security threat

8 Payroll Statement from ADP Name Address Last four of SSN Last four of bank acct. Non-standard headers Disk cached in Firefox, Chrome

9 Prescription claims from Argus Name Medication names and dosages No caching headers Disk cached in IE, Firefox Chrome

10 Credit Report from Equifax Name Credit score Credit report No caching headers Disk cached in IE, Firefox, Chrome

11 Sites with Caching Issues ADP Allstate Argus Health BB&T BGE Boscov's eBillity Equifax eRenterPlan GEICO Liberty Mutual MetLife M&T Bank PayPal PNC Bank Scottrade Toyota Financial Trade King TreasuryDirect T. Rowe Price Verizon Wireless

12 Types of Cached Sensitive Data Name Postal Address Email Address Phone Number Date of birth Last 4 digits of SSN Bank account numbers Check images Medical prescriptions Credit card account numbers Stock positions and balances Insurance policy numbers, amounts VINs Life insurance beneficiaries

13 Evolution of Caching Policy 1995 – Netscape 1 does not disk cache HTTPS content 1996 – Netscape 2 is opt out: caches unless Pragma: no- cache header or meta tag is set – IE 3 copies Netscape opt-out behavior – Netscape 3 reverts, does not cache by default

14 Evolution of Caching Policy cont. 1997 – RFC 2068 introduces Cache-Control header – IE 4 supports Cache-Control when sent by an HTTP/1.1 server – Cache-Control: no-cache prevents disk caching in IE – Pragma: no-cache remains supported 1998 – Mozilla scraps Netscape code; begins rewrite – Pragma: no-cache support lost in rewrite

15 Evolution of Caching Policy cont. 2000 – Netscape 6 released, does not cache – Pragma: no-cache is lost (but no one notices) – Apache SSL bug workaround introduced; breaks Cache-Control support in IE 4-8 2003 – Safari released; never caches

16 Evolution of Caching Policy cont. 2008 – Firefox 3 is opt-in: caches only if Cache-Control: public is set – Chrome is opt-out: caches unless Cache-Control: no-store is set – Chrome does not support Pragma: no-cache 2010 – Apache trunk patched; Cache-Control breakage now restricted to IE 4, 5

17 Evolution of Caching Policy cont. 2011 – Firefox 4 adopts Chrome’s opt-out caching by default – IE 9 accepts Cache-Control headers over HTTP/1.0 2013 – IE 10 caches despite Cache-Control: no-cache – ISE tests 30 HTTPS sites; 21 fail to set – Cache-Control: no-store on sensitive data – IE 8 Cache-Control support still broken by Apache software in latest CentOS

18 History of Disk Caching Policies Never cache HTTPS – Netscape 1, 3+ – Mozilla – Firefox 1, 2 – Safari Opt-in – Firefox 3, 3.5 Non-standard opt-out – Netscape 2 – IE 3 Generous opt-out – IE 4-8 – IE 9 – IE 10 Strict standards compliance – Chrome – Firefox 4+

19 Reliably Prevent Disk Caching Use two HTTP headers (not meta tags): Pragma: no-cache – IE 8 and earlier with HTTP/1.0 servers Cache-Control: no-store – All other cases

20 How to Fail at Preventing Caching Cache-Control: no-cache – Not standard – Works in IE 4-9 – Broken in IE 10 Pragma: no-cache – Only works in IE Cache-Control: private – Not for browsers Cache-Control in meta tags – Not recognized in any browser Cache-Control with HTTP/1.0 – Broken in IE 4-8

21 Google: – “browsers do not cache ssl” – “browsers do not cache https” Caching Misunderstandings

22 Browser Developers Favorite quote from Mozilla bug 531801: I’m on MoCo’s security team :) Among sites that don’t use cache- control:no-store, the correlation between “SSL” and “sensitive” is very low.

23 Recommendations Fix web applications Fix browsers (maybe?) Fix bad documentation Update web standards Try our demo site for yourself: https://demo.securityevaluators.com

24 Questions? Full report: http://securityevaluators.com/content/case-studies/caching/ Demo: https://demo.securityevaluators.com/

Download ppt "C.R.E.A.M. – Cache Rules Evidently Ambiguous, Misunderstood Presented by JD Nir Written by Jacob Thompson and Stephen Bono."

Similar presentations

The Internet.

The Internet.
HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.

HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.
GW Introduction to Google Drive Security and Smart Sharing Practices.

GW Introduction to Google Drive Security and Smart Sharing Practices.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.

Identity Theft: How to Protect Yourself. Identity Theft Identity theft defined:  the crime of obtaining the personal or financial information of another.
Breaking Trust On The Internet

Breaking Trust On The Internet
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
CHAPTER 3 Ethics and Privacy. Outline for Today Chapter 3: Ethics and Privacy Tech Guide: Protecting Information Assets REMINDER: Project 1 due tonight.

CHAPTER 3 Ethics and Privacy. Outline for Today Chapter 3: Ethics and Privacy Tech Guide: Protecting Information Assets REMINDER: Project 1 due tonight.
1 Caching in HTTP Representation and Management of Data on the Internet.

1 Caching in HTTP Representation and Management of Data on the Internet.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.

What’s a Web Cache? Why do people use them? Web cache location Web cache purpose There are two main reasons that Web cache are used:  to reduce latency.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
ONLINE SHOPPING BY ROMIL SOMAIYA FOR CLASH GROUP community LEICESTER ARTHERITIS SELF HELP ©

ONLINE SHOPPING BY ROMIL SOMAIYA FOR CLASH GROUP community LEICESTER ARTHERITIS SELF HELP ©
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
MD-EXPERT Designed with doctors for doctors. One solution for multiple platforms 248-464- 2959.

MD-EXPERT Designed with doctors for doctors. One solution for multiple platforms
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

Similar presentations

Ads by Google