We have had a external company produce security risk report on our web app and they stated that allowing cacheable HTTPS responses is a 'moderate' security risk.
Would people agree with this assessment?
+1
A:
Server side caching of responses should be OK as it is happening on a different layer than the SSL/TLS that https uses to encrypt.
Sean A.O. Harney
2009-08-11 10:54:21
+1
A:
If the data genuinely needs to be secure, then caching it seems like a bad idea.
For example, if it is, say, bank details of a user, then if that is cached to the server, then that is another place (in addition to the database where the data is stored) that is at risk of cracking.
If it does not genuinely need to be secure, it is just passed over https with stuff that does need to be secure and is not cached (like images in the page served over https) then I think that is absolutely fine.
DanSingerman
2009-08-11 11:01:58
Good point, I was thinking about that before I posted, but figured if the adversary already has access to the webserver process' memory the game is lost already.
Sean A.O. Harney
2009-08-11 14:13:18