- From: Jamie Lokier <jamie@shareable.org>
- Date: Wed, 24 Jun 2009 21:31:32 +0100
- To: Yngve Nysaeter Pettersen <yngve@opera.com>
- Cc: Mark Nottingham <mnot@mnot.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Yngve Nysaeter Pettersen wrote: > As I said, using no-store with unencrypted content as an indication to > proxies that they must not re-use the response makes sense, because it > restricts distribution to other clients using the same proxy, but it does > not IMO make sense to apply the same restriction to a client cache (or if > you will, index) for either encrypted or unencrypted, as it will both > cause a, possibly significant, performance reduction when accessing the > website, and for unencrypted connections it does not confer any extra > protection since the information is already sent in the clear, and > client-side there are other mechanisms at work to prevent any information > leaks that may be of concern. no-store does make an important security difference, even without encryption. The difference is, after you have finished accessing the site, with no-store there is no record in the browser cache of the pages you have seen. Someone inspecting the computer later will not be able to retrieve those pages. Yes in theory they could have been intercepted at the time they were transmitted, due to lack of encryption, but being able to find them later is just as much a security/privacy risk. -- Jamie
Received on Wednesday, 24 June 2009 20:32:11 UTC