[2775] in WWW Security List Archive
Re: A problem with Navigator's cache
daemon@ATHENA.MIT.EDU (David P. Kemp)
Fri Aug 23 10:51:10 1996
Date: Fri, 23 Aug 1996 09:16:50 -0400
From: dpkemp@missi.ncsc.mil (David P. Kemp)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Ian Dunkin <imd1707@ggr.co.uk>
>
> Some of our users share PCs. Some servers on our internal Web hold
> documents whose access requires authentication.
>
> When a PC Navigator user attempts to access such a page, and
> authenticates successfully, the document is retrieved and displayed, and
> cached to their local disk. This user now switches the PC off, and
> leaves. Another user switches the PC back on, and fires up Navigator.
> She attempts to access the same document. Navigator pulls it back for
> her from the cache, without authentication.
If the file requires authentication to retrieve from the server in the
first place, then it should require authentication to retrieve from any
other location it happens to be stored, such as on the shared PC's cache.
Since there is no way for the server to control what happens to the
document after it is delivered, you are forced to trust the clients to
"do the right thing", i.e. make it difficult for benign users to
inadvertently leave protected documents laying around in the clear.
Malicious authorized users can do whatever they want - forget about
trying to protect against them.
You could have the enterprise system administrator configure all local
copies of Navigator to disable caching of documents retrieved via SSL,
but that relies on the ability to protect the user's SSL private keys
from other users of the same PC, and preventing bootleg copies of Navigator
or any other browser from using those keys. The best way to do that
is to store user's keys on their personal tokens (PC Cards or Smartcards)
instead of on the hard disk.
> Would SSL help? Does Navigator just secure document _transfer_, or, can
> it also be persuaded to encrypt documents in the cache?
SSL with client authentication is *required*, otherwise there is no point
in bothering to secure the cache or turning on basic auth in the first place.
(To answer the second question: I don't know. Ask Netscape.)
> Grateful for any thoughts!
Here's one: Everyone with any interest in security *must read* Ross
Anderson's "Why Cryptosystems Fail". You can't buy security with one
piece of technology. You have to design the entire system to be resistant
to all likely failures rather than putting a lot of effort into making
one component extraordinarily strong and ignoring the rest.
