Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Proxy Caches are a Challenging Threat to Internet Security
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News Proxy Caches are a Challenging Threat to Internet Security Post 302243384 by Linux Bot on Sunday 5th of October 2008 06:50:03 AM
Old 10-05-2008
Proxy Caches are a Challenging Threat to Internet Security
Tim Bass
10-05-2008 03:41 AM
Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example.* Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content.* For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there's no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach.* On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …


Note: Reposted from the (ISC)2 blog.</p>

Source...
 

2 More Discussions You Might Find Interesting

1. Linux

SFTP an internet address from a system behind an internet proxy

I was wondering if it is possible to setup SFTP to go through the internet proxy while connecting to an internet location. Problem: Client system is behind internet proxy. SFTP to any internet location fails as there is no documented way to configure SFTP to connect to internet locations through... (4 Replies)
Discussion started by: toobrown1
4 Replies

2. What is on Your Mind?

The Insider Threat in IT Security

Over my very long career in unix and linux system programming, network security, network system engineering, and cybersecurity as a whole, the number one threat to any organization is what we refer to as the "insider threat". Disgruntled employees, dissatisfied team members, lax security... (0 Replies)
Discussion started by: Neo
0 Replies

LEARN ABOUT DEBIAN

uget-gtk

UGET-GTK(1)							   User Commands						       UGET-GTK(1)

NAME

       uget-gtk - a download manager that uses gtk+2, and libcurl

SYNOPSIS

       uget-gtk [options] [URL]

DESCRIPTION

   Help Options:
       -?, --help
	      Show help options.

       --help-all
	      Show all help options.

       --help-gtk
	      Show GTK+ Options

   Application Options:
       --quiet
	      add download directly. Don't show dialog.

       --category-index=N
	      add download to Nth category. (default -1)

       --folder=FOLDER
	      placed download file in FOLDER.

       --filename=FILE
	      set download filename to FILE.

       --user=USER
	      set both ftp and http user to USER.

       --password=PASS
	      set both ftp and http password to PASS.

       --proxy-type=N
	      set proxy type to N. (0=Don't use)

       --proxy-host=HOST
	      set proxy host to HOST.

       --proxy-port=PORT
	      set proxy port to PORT.

       --proxy-user=USER
	      set USER as proxy username.

       --proxy-password=PASS
	      set PASS as proxy password.

       --http-user=USER
	      set http user to USER.

       --http-password=PASS
	      set http password to PASS.

       --http-referer=URL
	      include `Referer: URL' header in HTTP request.

       --http-cookie-data=STRING
	      load cookies from STRING.

       --http-cookie-file=FILE
	      load cookies from FILE.

       --http-post-data=STRING
	      use the POST method; send STRING as the data.

       --http-post-file=FILE
	      use the POST method; send contents of FILE

       --ftp-user=USER
	      set ftp user to USER.

       --ftp-password=PASS
	      set ftp password to PASS.

       --display=DISPLAY
	      X display to use

AUTHOR

       uget  was  written  by  Raymond	Huang  <plushuang  at  users.sourceforge.net>,and this manual page was originally written by Dennis Craven
       <dcraven@gmail.com>

uget-gtk 1.4.9							     July 2009							       UGET-GTK(1)
All times are GMT -4. The time now is 05:36 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy