David A. Wheeler's Blog

Thu, 20 Jun 2013

Industry-wide Misunderstandings of HTTPS (SSL/TLS)

Industry-wide Misunderstandings of HTTPS describes a nasty security problem involving HTTP (SSL/TLS) and caching. The basic problem is that developers of web applications do not know or understand web standards. The result: 70% of sites tested expose private data on users’ machines by recording data that is supposed to be destroyed.

Here’s the abstract: “Most web browsers, historically, were cautious about caching content delivered over an HTTPS connection to disk - to a greater degree than required by the HTTP standard. In recent years, in response to the increased use of HTTPS for non-sensitive data, and the proliferation of bandwidth-hungry AJAX and Web 2.0 sites, some browsers have been changed to strictly follow the standard, and cache HTTPS content far more aggressively than before. HTTPS web servers must explicitly include a response header to block standards-compliant browsers from caching the response to disk - and not all web developers have caught up to the new browser behavior. ISE identified 21 (70% of sites tested) financial, healthcare, insurance and utility account sites that failed to forbid browsers from storing cached content on disk, and as a result, after visiting these sites, unencrypted sensitive content is left behind on end-users’ machines.”

This vulnerability isn’t as easy to exploit as some other problems; it just means that data that should have been destroyed is hanging around. But it does set up serious problems, because that information should have been destroyed.

This is really just yet another example of the security problems that can happen when people assume, “the only web browser is Internet Explorer 6”. That was never true, and by ignoring standards, they set themselves up for disaster. This isn’t even a new standard; HTTP version 1.1 was released in 1999, so there’s been plenty of time to fix things. Today, many modern systems use AJAX, and SSL/TLS encryption is far more widely used as well, and given these changing conditions, web browsers are changing in standards-compliant ways. Web application developers who followed the standard are doing just fine. The web application developers who ignored the standards are, once again, putting their users at risk.

path: /security | Current Weblog | permanent link to this entry