SEC-CACHING editorial issue...

Larry is worried we don't say enough explicitly in security considerations
on the threats that proxy caching represent...

I just drafted and added this text to Rev-02 in preparation (expect by
the end of next week).
				- Jim


15.7 Proxy Caching

By their very nature, HTTP proxies and proxy caches are men-in-the-middle, 
and open up clients to men-in-the-middle attacks. Compromise of the systems 
on which the proxies run can result in both serious security and privacy 
problems. Operators of HTTP proxy caches should treat the systems on which 
the proxies run as very sensitive systems, since both personal information 
and security related information usually present in the proxies, and all 
sorts of potential attacks on clients are possible from such systems. 

Log information gathered at such proxies often contains highly sensitive 
personal information, and should be carefully guarded and appropriate 
guidelines for use developed and followed. (Section 15.1.1). 

Users of proxy caches need to be aware that they are no more trustworthy 
than the people who run the proxy caches; HTTP itself cannot solve this 
problem.

--
Jim Gettys
Industry Standards and Consortia
Digital Equipment Corporation
Visting Scientist, World Wide Web Consortium, M.I.T.
http://www.w3.org/People/Gettys/
jg@w3.org, jg@pa.dec.com

Received on Thursday, 12 February 1998 11:09:14 UTC