Ignore:
Timestamp:
23/01/14 09:31:59 (6 years ago)
Author:
fielding@…
Message:

(editorial) OWASP only provides useful additional info for web application semantics and authentication; see #520 and #549

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p6-cache.html

    r2566 r2569  
    451451  }
    452452  @bottom-center {
    453        content: "Expires July 26, 2014";
     453       content: "Expires July 27, 2014";
    454454  }
    455455  @bottom-right {
     
    495495      <meta name="dct.creator" content="Reschke, J. F.">
    496496      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
    497       <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
     497      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    498498      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    499499      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
     
    521521            </tr>
    522522            <tr>
    523                <td class="left">Expires: July 26, 2014</td>
     523               <td class="left">Expires: July 27, 2014</td>
    524524               <td class="right">J. Reschke, Editor</td>
    525525            </tr>
     
    530530            <tr>
    531531               <td class="left"></td>
    532                <td class="right">January 22, 2014</td>
     532               <td class="right">January 23, 2014</td>
    533533            </tr>
    534534         </tbody>
     
    557557            in progress”.
    558558         </p>
    559          <p>This Internet-Draft will expire on July 26, 2014.</p>
     559         <p>This Internet-Draft will expire on July 27, 2014.</p>
    560560      </div>
    561561      <div id="rfc.copyrightnotice">
     
    19211921      <div id="security.considerations">
    19221922         <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    1923          <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
    1924             caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    1925          </p>
    1926          <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    1927             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    1928          </p>
    1929          <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
     1923         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP caching.
     1924            More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
     1925         </p>
     1926         <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
    19301927            exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information
    19311928            long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected
    19321929            as sensitive information.
    19331930         </p>
    1934          <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
    1935             cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation
    1936             flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache
     1931         <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
     1932            cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implementation
     1933            flaws, elevated privileges, or other techniques to insert such a response into a cache. One common attack vector for cache
    19371934            poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements.
    19381935         </p>
    1939          <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
     1936         <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
    19401937            (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties.
    19411938         </p>
    1942          <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
     1939         <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
    19431940            one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it
    19441941            load more quickly, thanks to the cache.
    19451942         </p>
    1946          <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
     1943         <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
    19471944            requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control
    19481945            response header fields.
Note: See TracChangeset for help on using the changeset viewer.