21 Financial Sites Found To Store Sensitive Data In Browser Disk Cache 118
An anonymous reader writes "The LA Times mentions that after visiting well known sites such as ADP, Verizon Wireless, Scottrade, Geico, Equifax, PayPal and Allstate, sensitive data remains in the browser disk cache despite those sites using SSL. This included full credit reports, prescription history, payroll statements, partial SSNs, credit card statements, and canceled checks. Web servers are supposed to send a Cache-Control: no-store header to prevent this, but many of the sites are sending non-standard headers recognized only by Internet Explorer, and others are sending no cache headers at all. While browsers were once cautious about writing content received over SSL to the disk cache, today, most do so by default unless the server specifies otherwise."
"Despite Using SSL" (Score:3, Insightful)
What does SSL have to do with what happens to the data once it's local?
I understand that most people are clueless, but this is slashdot still, right? I haven't stumbled upon some other site on which to dig up TFA (not that I've read it).
Scaremongering (Score:2, Insightful)
Reading fail (Score:3, Insightful)
but many of the sites are sending non-standard headers recognized only by Internet Explorer
Still, you got paid, what do you care?
Re:This is actually a very bad idea, if true (Score:4, Insightful)
Re:This is actually a very bad idea, if true (Score:5, Insightful)
Note that the claim is that Safari doesn't cache to DISK, not that Safari doesn't cache. I.e., Safara doesn't store information that was deemed sensitive enough to require a secure channel on a long-term (probably unencrypted) storage medium.