- From: Jeffrey Mogul <mogul@pa.dec.com>
- Date: Thu, 12 Feb 98 11:29:58 PST
- To: http-wg@cuckoo.hpl.hp.com
Jim writes:
15.7 Proxy Caching
By their very nature, HTTP proxies and proxy caches are men-in-the-middle,
and open up clients to men-in-the-middle attacks. Compromise of the systems
on which the proxies run can result in both serious security and privacy
problems. Operators of HTTP proxy caches should treat the systems on which
the proxies run as very sensitive systems, since both personal information
and security related information usually present in the proxies, and all
sorts of potential attacks on clients are possible from such systems.
Log information gathered at such proxies often contains highly sensitive
personal information, and should be carefully guarded and appropriate
guidelines for use developed and followed. (Section 15.1.1).
Users of proxy caches need to be aware that they are no more trustworthy
than the people who run the proxy caches; HTTP itself cannot solve this
problem.
I'd suggest re-writing this to make it clear that the problem is
related primarily to the use of proxies, and not just to the use of caching:
15.7 Proxies and proxy caches
By their very nature, HTTP proxies are men-in-the-middle, and may
represent an opportunity for man-in-the-middle attacks. Compromise
of the systems on which the proxies run can result in serious
security and privacy problems. Proxies have access to
security-related information, personal information about individual
users and organizations, and proprietary information belonging to
users and content providers. A compromised proxy, or a proxy
implemented or configured without regard to security and privacy
considerations, might be used in the commission of a wide range of
potential attacks.
Proxy operators should protect the systems on which proxies run as
they would protect any system that contains or transports sensitive
information. In particular, log information gathered at proxies
often contains highly sensitive personal information, and/or
information about organizations. Log information should be
carefully guarded, and appropriate guidelines for use developed and
followed. (Section 15.1.1).
Caching proxies provide additional potential vulnerabilities, since
the contents of the cache represent an attractive target for
malicious exploitation. Because cache contents persist after an
HTTP request is complete, an attack on the cache may reveal
information long after a user believes that the information has
been removed from the network. Therefore, cache contents should
be protected as sensitive information.
Proxy implementors should consider the privacy and security
implications of their design and coding decisions, and of the
configuration options they provide to proxy operators (especially
the default configuration).
Users of a proxy need to be aware that they are no more trustworthy
than the people who run the proxy; HTTP itself cannot solve this
problem.
I would suggest adding:
The judicious use of cryptography, when appropriate, may suffice
to protect against a broad range of security and privacy attacks.
Such cryptography is beyond the scope of the HTTP/1.1 specification.
if people don't think this is going too far out on a political limb.
-Jeff
Received on Thursday, 12 February 1998 11:32:17 UTC