Security of HTTP based authentication
Alexander Clouter
alex at digriz.org.uk
Fri Jan 14 08:47:30 GMT 2011
Tom Hukins <tom at eborcom.com> wrote:
Hi,
> On Thu, Jan 13, 2011 at 07:29:33PM +0000, Alexander Clouter wrote:
>
> [Lots of good advice snipped]
>
>> I personally would just HTTPS *everything*, the solution is in making
>> your website cache friendly.
>
> I don't understand this, given that nothing should cache HTTPS
> responses. Using HTTPS and cache friendliness seem like two
> contradictory goals to me.
>
Never said you should cache *everything*, just be cache friendly :)
IIRC, browsers will by default cache HTTP data that does not comes with
any cache hints in the headers but for the HTTPS cache they generally do
not ('Cache-control: public' seems to be the thing to force caching to
local disk).
Indeed, you should not cache anything that could contain confidential
and/or user data (anything session specific), however images (such as
logos and products), Javascript and CSS is the kind of stuff that could
be safely cached.
In the example of a online shopping site (dealextreme-esque or fleabay),
how much of that could be aggressively cached? Pulling two numbers out
of thin air, I would probably say somewhere in the 90%+ region?
There is the question of 'snooping' and raiding the local browser cache
for incriminating evidence. If I am on dealextreme/fleabay, the
girlfriend would kill me if she found out I had order yet more 'junk',
but then that's what the porn^Wprivacy browsing mode on browsers is all
about isn't it ;)
>> http://www.ircache.net/cgi-bin/cacheability.py
>
> For a more modern, improved service by the same author, see
> http://redbot.org/
>
Schweet! Thanks for the tip.
Cheers
--
Alexander Clouter
.sigmonster says: May your camel be as swift as the wind.
More information about the london.pm
mailing list