We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

C.R.E.A.M. - Cache Rules Evidently Ambiguous, Misunderstood

6
 Zitieren
 Teilen
 Zugehöriges Material
 Herunterladen
 Bestellen
Kein Logo verfügbarDEF CON
 Thompson, Jacob

Formale Metadaten

Titel
C.R.E.A.M. - Cache Rules Evidently Ambiguous, Misunderstood
Serientitel
Anzahl der Teile
112
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Common wisdom dictates that web applications serving sensitive data must use an encrypted connection (i.e., HTTPS) to protect data in transit. Once served, that same sensitive data must be protected at rest, either through encryption, or more appropriately by not storing the sensitive data on disk at all. In the past, web browser disk caching policies maintained a distinction between HTTP and HTTPS requests, typically refusing to cache HTTPS requests. With today's bandwidth- and performance-hungry AJAX and HTML5 applications, most modern browsers treat all content (including HTTPS) as safe to cache to disk unless explicitly restricted by the server. This silent "shift" of responsibility from browser to web-application server has eluded both secure web-application and safe-browsing paradigms, leaving consumers exposed. Even OWASP recommended guidelines for creating secure web applications are wrong regarding this topic [1]. We tested over thirty sites that provide personal financial, health, and insurance-related information to determine what, if any, sensitive information was cached to disk and the results were surprising. Over 70% of tested sites cached sensitive information, ranging from account balances to bank-check images, bank statements, and full credit reports. We will discuss not only the technical details of these caching vulnerabilities, but also the history behind the "shift" in cache policy responsibility, the breakdown in conventional wisdom concerning web application and web-browser security policies, the ramifications of caching PII to disk, and the potential widespread violation of most compliance standards, including PCI, HIPAA, SOX, and government standards such as FIPS or Common Criteria. Jacob Thompson is a security analyst at Independent Security Evaluators, a Baltimore, Maryland, company specializing in high-end, custom security assessments of computer hardware and software products. Jacob holds an M.S. in Computer Science from the University of Maryland, Baltimore County. His primary security interests include analyzing commercial software products for design flaws and other vulnerabilities, reverse engineering, and cryptography. Prior to joining ISE, Jacob served as a Computer Science teaching assistant and briefly worked as an intern software engineer developing desktop and embedded applications for process control systems.