21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache 118
An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."
And that my friends (Score:3, Interesting)
This is actually a very bad idea, if true (Score:3, Interesting)
Re:Scaremongering (Score:2, Interesting)
Well considering the general quality of networks, improperly secured routers, and secondary infection points via home networks and 'open disk' access that things like Windows love to do when you use that lovely auto-config tool. Chances of leaving a wide-open door, and letting them win are pretty good.
Re:"Despite Using SSL" (Score:5, Interesting)
That has never been the standard. And it would have violated several standards if you arbitrarily decided to not cache any ssl delivered data. Ssl was for protection of data in transit, not before or after the transmission is complete. The protection was not intended to outlive the actual connection.
You are confusing the recommendations for caching proxies with the recommendation for the intended endpoint.
Interesting second link (Score:5, Interesting)
With a well-written and refreshingly non-partisan review of why and how this happened, showing that, as with many cluster-fsuks, it's the result of a chain of decisions where each seemed sensible at the time.
Everybody dropped the ball here:
- website owners & authors too incompetent or lazy to keep abreast of standards and changing conditions,
- Microsoft for being, well, Microsoft (not really respecting standards),
- Google (Chrome) & Mozilla for changing the default behaviour of their browsers to store https traffic instead of not, (although this, ironically, is the standard unless the site properly says "do not store"; see point 1.)
Raises the interesting question; who on earth thought, in this era of increasing bandwidth, that it would be a good idea to store https data locally?
Confirms what I've suspected ... (Score:4, Interesting)
This pretty much confirms what we've all known for a long time -- the security of these things is largely written by people who are unqualified to write secure applications, and people who write IE specific stuff write shit code.
Your financial information is being handled by people who are either lazy or incompetent, and the company is more interested in the spinning, flaming logo than anything like security.
The fail is your monkeyboy. (Score:2, Interesting)