Security of HTTP based authentication

Alexander Clouter alex at digriz.org.uk
Fri Jan 14 08:47:30 GMT 2011


Tom Hukins <tom at eborcom.com> wrote:
Hi,

> On Thu, Jan 13, 2011 at 07:29:33PM +0000, Alexander Clouter wrote:
> 
> [Lots of good advice snipped]
> 
>> I personally would just HTTPS *everything*, the solution is in making 
>> your website cache friendly.
> 
> I don't understand this, given that nothing should cache HTTPS
> responses.  Using HTTPS and cache friendliness seem like two
> contradictory goals to me.
> 
Never said you should cache *everything*, just be cache friendly :) 
IIRC, browsers will by default cache HTTP data that does not comes with 
any cache hints in the headers but for the HTTPS cache they generally do 
not ('Cache-control: public' seems to be the thing to force caching to 
local disk).

Indeed, you should not cache anything that could contain confidential 
and/or user data (anything session specific), however images (such as 
logos and products), Javascript and CSS is the kind of stuff that could 
be safely cached.

In the example of a online shopping site (dealextreme-esque or fleabay), 
how much of that could be aggressively cached?  Pulling two numbers out 
of thin air, I would probably say somewhere in the 90%+ region?

There is the question of 'snooping' and raiding the local browser cache 
for incriminating evidence.  If I am on dealextreme/fleabay, the 
girlfriend would kill me if she found out I had order yet more 'junk', 
but then that's what the porn^Wprivacy browsing mode on browsers is all 
about isn't it ;)

>> http://www.ircache.net/cgi-bin/cacheability.py
> 
> For a more modern, improved service by the same author, see
> http://redbot.org/
> 
Schweet!  Thanks for the tip.

Cheers

-- 
Alexander Clouter
.sigmonster says: May your camel be as swift as the wind.



More information about the london.pm mailing list