W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1998

Re: SEC-CACHING editorial issue...

From: Jeffrey Mogul <mogul@pa.dec.com>
Date: Thu, 12 Feb 98 11:29:58 PST
Message-Id: <9802121929.AA10035@acetes.pa.dec.com>
To: http-wg@cuckoo.hpl.hp.com
Jim writes:

    15.7 Proxy Caching
    
    By their very nature, HTTP proxies and proxy caches are men-in-the-middle, 
    and open up clients to men-in-the-middle attacks. Compromise of the systems 
    on which the proxies run can result in both serious security and privacy 
    problems. Operators of HTTP proxy caches should treat the systems on which 
    the proxies run as very sensitive systems, since both personal information 
    and security related information usually present in the proxies, and all 
    sorts of potential attacks on clients are possible from such systems. 
    
    Log information gathered at such proxies often contains highly sensitive 
    personal information, and should be carefully guarded and appropriate 
    guidelines for use developed and followed. (Section 15.1.1). 
    
    Users of proxy caches need to be aware that they are no more trustworthy 
    than the people who run the proxy caches; HTTP itself cannot solve this 
    problem.

I'd suggest re-writing this to make it clear that the problem is
related primarily to the use of proxies, and not just to the use of caching:

    15.7 Proxies and proxy caches

    By their very nature, HTTP proxies are men-in-the-middle, and may
    represent an opportunity for man-in-the-middle attacks. Compromise
    of the systems on which the proxies run can result in serious
    security and privacy problems.  Proxies have access to
    security-related information, personal information about individual
    users and organizations, and proprietary information belonging to
    users and content providers.  A compromised proxy, or a proxy
    implemented or configured without regard to security and privacy
    considerations, might be used in the commission of a wide range of
    potential attacks.

    Proxy operators should protect the systems on which proxies run as
    they would protect any system that contains or transports sensitive
    information.  In particular, log information gathered at proxies
    often contains highly sensitive personal information, and/or
    information about organizations.  Log information should be
    carefully guarded, and appropriate guidelines for use developed and
    followed. (Section 15.1.1).

    Caching proxies provide additional potential vulnerabilities, since
    the contents of the cache represent an attractive target for
    malicious exploitation.  Because cache contents persist after an
    HTTP request is complete, an attack on the cache may reveal
    information long after a user believes that the information has
    been removed from the network.  Therefore, cache contents should
    be protected as sensitive information.

    Proxy implementors should consider the privacy and security
    implications of their design and coding decisions, and of the
    configuration options they provide to proxy operators (especially
    the default configuration).

    Users of a proxy need to be aware that they are no more trustworthy
    than the people who run the proxy; HTTP itself cannot solve this
    problem.

I would suggest adding:

    The judicious use of cryptography, when appropriate, may suffice
    to protect against a broad range of security and privacy attacks.
    Such cryptography is beyond the scope of the HTTP/1.1 specification.

if people don't think this is going too far out on a political limb.

-Jeff
Received on Thursday, 12 February 1998 11:32:17 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:12 EDT