W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: httpbis-p6-cache-06 and no-store response directive

From: Jamie Lokier <jamie@shareable.org>
Date: Wed, 24 Jun 2009 21:31:32 +0100
To: Yngve Nysaeter Pettersen <yngve@opera.com>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20090624203132.GW14121@shareable.org>
Yngve Nysaeter Pettersen wrote:
> As I said, using no-store with unencrypted content as an indication to  
> proxies that they must not re-use the response makes sense, because it  
> restricts distribution to other clients using the same proxy, but it does  
> not IMO make sense to apply the same restriction to a client cache (or if  
> you will, index) for either encrypted or unencrypted, as it will both  
> cause a, possibly significant, performance reduction when accessing the  
> website, and for unencrypted connections it does not confer any extra  
> protection since the information is already sent in the clear, and  
> client-side there are other mechanisms at work to prevent any information  
> leaks that may be of concern.

no-store does make an important security difference, even without
encryption.

The difference is, after you have finished accessing the site, with
no-store there is no record in the browser cache of the pages you have seen.

Someone inspecting the computer later will not be able to retrieve
those pages.  Yes in theory they could have been intercepted at the
time they were transmitted, due to lack of encryption, but being able
to find them later is just as much a security/privacy risk.

-- Jamie
Received on Wednesday, 24 June 2009 20:32:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:04 GMT