[2984] in WWW Security List Archive
browser Cache-Control
daemon@ATHENA.MIT.EDU (David Kennan)
Wed Sep 18 22:36:01 1996
Date: Wed, 18 Sep 1996 19:45:38 -0400
From: dkennan@lds.com (David Kennan)
Reply-To: dkennan@lds.com
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I am compiling a list of browsers that support
1. HTML Tables
2. SSL
3. 128-bit session encryption
4. server-side prevention of browser caching
Ideally I would like to produce a table with the following fields for
each browser record:
BrowserName - the browser's name on the street
Table support - yes or no
SSLversion - none, 2.0, 3.0
encryption - 40b, 128b messsage encryption under SSL
cache-control - none, or any of the mechanisms listed below
HTTP_USER_AGENT - the value of the HTTP header
The point of this table would be for a server to determine the security
capabilities of a browser based on its HTTP_USER_AGENT. I know that
that approach is faulty - since, e.g. some browsers allow users to
configure the USER_AGENT. Nevertheless, I'm compiling the table.
I haven't found an existing resource with all of this info, although I'm
aware of some sites one might think of that compile some browser
capabilities:
http://www.browserwatch.com - just has browser names and platforms.
http://www.openmarket.com/browsertest/prob/bt-maker.cgi - does not go
into detail of SSL version, 128-bit encryption, or cache-control.
http://www.pragmaticainc.com/bc/ - "Browser Caps" focuses on HTML
support, as opposed to security issues.
http://www.research.digital.com/nsl/formtest/home.html - focuses on HTML
forms.
Mechanisms available on the server-side to prevent a browser from
caching include:
· HTTP 1.0 header: Pragma: no-cache
· HTML: <META HTTP-EQUIV="Pragma" CONTENT="no-cache">
· HTTP 1.0 header: Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date: <current>
· HTTP 1.1 header: Cache-Control: no-cache
· HTTP 1.1 header: Cache-Control: no-store
I am not considering the "unique-urls" method because it does not
prevent caching - it merely prevents a user from getting a cached page
via the normal means. Are there other methods to be addded to this
list?
My testing has shown that Netscape versions higher than 1.0 can fulfill
the Tbales, SSL, and cache-control critieria. If you download the
U.S-only version then the "About Netscape" page will indicate "U.S.
Security". It is also reflected in the HTTP_USER_AGENT, which contains
the modifier "U", which indicates United States security. For instance,
my browser’s AGENT value is "Mozilla/3.0 (WinNT; U)" Most users will
have a version suitable for international export, whose HTTP_USER_AGENT
will contain the modifier "I", as in "international."
AOL 3.0 and internetMCI are based on Netscape versions after 1.0, but I
don't know if they contain 128bit encryption.
MSIE has SSL but fails to respond to cache-control directives. Is there
an alternative server-side way to prevent MSIE from caching ? Perhaps
it is possible using JScript or VBscript ?? Hopefully someone from
Microsoft will answer me directly - since I've tried getting info from
their Website and I've also submitted bug reports (the Date+Expires
mechanism of cache-control is mandatory in HTTP 1.0).
Oracle's PowerBrowser "full strength version" seems to conform to all of
my criteria.
Wollongong's Emissary and Omni Development's OmniWeb fail the
cache-control criteria.
Anybody know specifically about the following browsers: IBM WebExplorer,
GNN, FTP, Prodigy ?
I've tried, unsuccessfully, to enlist the help of OpenMarket. Would
another secure-server vendor be more helpful?
Any leads to other secure browsers with cache-control, or
browser-capability compendiums would be greatly appreciated.
- David Kennan
Logical Design Solutions
Morristown NJ
