Proxy Caches are a Challenging Threat to Internet Security


 
Thread Tools Search this Thread
Special Forums News, Links, Events and Announcements Complex Event Processing RSS News Proxy Caches are a Challenging Threat to Internet Security
# 1  
Old 10-05-2008
Proxy Caches are a Challenging Threat to Internet Security

Tim Bass
10-05-2008 03:41 AM
Proxy caches, combined with poorly written session management code, can easily leads to serious security flaws similar to what we highlighted in A New Security Breach in Google Docs Revealed.

Web developers have no control over proxy caches in the Internet. However, developers do have control of the code they write and their admin teams have configuration control of their web servers. Developers must assume the worst case Internet scenario with aggressive Internet cache management policies that serve cached data for economic and performance reasons.

As a consequence, this fact-of-life on the Internet sometimes results in multiple web clients being sent the same Set-Cookie HTTP headers, for example.* Caching proxy servers should obtain a fresh cookie for the each new client request. Ideally, proxy caches should not cache session management cookies and distribute cached cookies to multiple clients. However, application developers cannot assume that proxy caches are well behaved, especially for applications where security and privacy are required.

Web developers cannot know whether their content is consumed directly or via a proxy cache. Developers also cannot assume that the HTTP responses will be delivered to the intended browser. Moreover, developers cannot be sure that the intended browser even receives the intended content.* For example, a session ID issued to a client gets used while it is valid or until abandoned and expired. If it is served and delivered in response to an unencrypted HTTP GET request, there's no guarantee it will be consumed by the intended web browser.

Ideally, SSL should be used on all web transactions that require confidentiality and privacy, including our recent Google Docs breach.* On the other hand, even SSL is not foolproof. For example, many web developers do not correctly set the “Encrypted Sessions Only” cookie property. These incorrectly configured “secure” servers will send HTTPS cookies in the open, unencrypted.

There be dragons …


Note: Reposted from the (ISC)2 blog.</p>

Source...
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. What is on Your Mind?

The Insider Threat in IT Security

Over my very long career in unix and linux system programming, network security, network system engineering, and cybersecurity as a whole, the number one threat to any organization is what we refer to as the "insider threat". Disgruntled employees, dissatisfied team members, lax security... (0 Replies)
Discussion started by: Neo
0 Replies

2. Linux

SFTP an internet address from a system behind an internet proxy

I was wondering if it is possible to setup SFTP to go through the internet proxy while connecting to an internet location. Problem: Client system is behind internet proxy. SFTP to any internet location fails as there is no documented way to configure SFTP to connect to internet locations through... (4 Replies)
Discussion started by: toobrown1
4 Replies
Login or Register to Ask a Question