Security of HTTP based authentication

Alexander Clouter alex at
Fri Jan 14 08:47:30 GMT 2011

Tom Hukins <tom at> wrote:

> On Thu, Jan 13, 2011 at 07:29:33PM +0000, Alexander Clouter wrote:
> [Lots of good advice snipped]
>> I personally would just HTTPS *everything*, the solution is in making 
>> your website cache friendly.
> I don't understand this, given that nothing should cache HTTPS
> responses.  Using HTTPS and cache friendliness seem like two
> contradictory goals to me.
Never said you should cache *everything*, just be cache friendly :) 
IIRC, browsers will by default cache HTTP data that does not comes with 
any cache hints in the headers but for the HTTPS cache they generally do 
not ('Cache-control: public' seems to be the thing to force caching to 
local disk).

Indeed, you should not cache anything that could contain confidential 
and/or user data (anything session specific), however images (such as 
logos and products), Javascript and CSS is the kind of stuff that could 
be safely cached.

In the example of a online shopping site (dealextreme-esque or fleabay), 
how much of that could be aggressively cached?  Pulling two numbers out 
of thin air, I would probably say somewhere in the 90%+ region?

There is the question of 'snooping' and raiding the local browser cache 
for incriminating evidence.  If I am on dealextreme/fleabay, the 
girlfriend would kill me if she found out I had order yet more 'junk', 
but then that's what the porn^Wprivacy browsing mode on browsers is all 
about isn't it ;)

> For a more modern, improved service by the same author, see
Schweet!  Thanks for the tip.


Alexander Clouter
.sigmonster says: May your camel be as swift as the wind.

More information about the mailing list