RSS Alerts

Related Links

  • Corsaire
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Browser developers scramble to fix major security flaw in SSL technology
    Reports are coming in that a major security flaw in the way secure sockets layer (SSL) technology renegotiated user sessions across the internet, with software developers reportedly scrambling to develop a fix for the issue they have known about for some weeks.
  • Apple releases Safari 4.0 to counter security flaws
    Apple Computer has released v 4.0 of its increasingly popular Safari web browser for Windows and Mac OSX-based computers. The release counters the recent security flaws reported in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and webKit
  • Microsoft working on secure web browser
    Microsoft's research operation has published a paper detailing a security-enabled web browser application code-named Gazelle.
  • Security flaw exposed in Google Chrome
    Fresh after Google’s tenth birthday, the entrepreneurial company is facing reports that its new browser, Chrome, contains a security flaw, just a day after its release in beta.
  • Loyalty cards: The security risks and the rewards
    Loyalty cards – with their numerous security risks and few rewards – have really taken off. Can we trust that the commercial organisations that store our data will take good care of it? Cath Everett investigates and finds there’s no such thing as a free lunch...

News

Corsaire highlights potentially serious flaw in web browsers

25 November 2009

Corsaire, the international security consultancy, claims to have identified a potentially serious flaw with most popular web browsers.

Centering on the web caching facility - which is set to 'on' for most browsers by default - the problem is that whilst users' live web sessions are security enabled, the web browser cache is often stored without such security.

In a report on the issue, Corsaire said that most businesses are unaware of the fact that their web browser cache is storing potentially sensitive information.

"Caching is something that we need to get right from both a performance and security perspective, as the caching of data in the browser - and the ability to keep potentially sensitive data from being stored in the cache - is paramount to information security", said Rogan Dawes, principal security consultant at Corsaire.

"It is therefore in both the application developer's interest to correctly tag data to prevent its exposure, and in the user's interest to ensure that their data remains private", he added.

As part of a recent white paper on the subject, called `Cache for Questions', Dawes said he examined the risk of sensitive data being stored in a users' web browser, as well as the variations that exist in different web browsers and the effectiveness of the currently recommended mitigations.

The paper also looked at the shortfalls in browser security and the common wisdom in this area, and suggested solutions that will help to keep both personal and business data safe.

"After conducting security assessments of web applications and technologies for over a decade, it has become abundantly clear that web browsers are inconsistent and insecure in their operation relating to data security", Dawes said.

"Unfortunately, the guidelines and standards being used to combat this problem are often conflicting, and routinely include assumptions, misinterpretations and mistakes", he added.

"To make matter worse, the security breaches being caused as a result are largely invisible to end users and service providers, which makes the problem even more dangerous."

The good news, Infosecurity notes, is that Dawes' report showed that most popular web browsers can have their caching facility switched off. Whilst this will slow down users' internet sessions in some cases, it prevents the security problem from occurring.

 

This article is featured in:
Application Security Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water