You should encrypt the output from apache server, redirecting ports, and
develop a personal browser that decrypt the pages "only for your eyes",
making no chache of anything.
Pablo A. C. Gietz
Jefe de Seguridad Inform�tica
Nuevo Banco de Entre R�os S.A.
Te.: 0343 - 4201351
----- Original Message -----
From: "stef" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 7:14 AM
Subject: Viewing web content off-line (Apache) - default Oracle install of
self-service apps
> Hi, all,
>
> A first attempt of mine in posting this was declined by the moderator as
> irrelevant to a security list, so I am trying to reformulate to emphasize
the
> fact that the only reason of this post is a security issue: we have
started
> deploying Oracle self-services in my company (HR-related "modules", among
> others), based on Oracle 9 as database and Apache as web server. The
problem
> is that these applications contain highly confidential data (e.g. salary
> info), and in the areas where the PCs are shared among multiple users, the
> availability of pages saved in the history is of great concern. Here is
what
> is happening: after having "visited" the salary information, regardless of
> whether the user exits the application properly, or not, his information
is
> available to the next user by simply doing the following:
> - in a browser like Microsoft IE - choose "work offline"
> - choose then the history menu
> - "pick" ("click") on one of the previously visited pages (by other
> employees) --> boom - salary info from previous visitor is available
>
> We are running all this using SSL (obviously in an attempt to avoid the
> damage of traffic sniffing as much as we can) , so we found an easy
solution
> being the "tweaking" of the browser in the security options, by checking
the
> "Do not save encrypted pages to disk" in the Tools --> Internet options
...
> --> Advanced menu (in the IE). We also have knowlegde on how to do this
> "scripted", such that all the browsers get the change, by using a reg hack
> deployed through the login srcipt, one containing also removal of specific
> rights for regular users changing back this option, BUT I do not think
this
> is a proper way of resolving such a security issue. I think that the
solution
> should reside on the Apache side, by forcing (somehow) this type of
> "caching"/"history kept" from happening. I know the basics of HTML
Metatags
> or Pragmas in regards to expiration of cache, etc. ... but this is not the
> solution I am seeking, as it won't work on dynamically created pages - I
> think there may be a solution using Java bases app(let)s forcing this
> dynamically, such that we could deploy a "hidden" such applet on every
> dynamically created page ....
>
> Sorry for the lengthy posting - in the end the simple question is: has
> anybody been faced with this challenge of self-service-like apps,
delivered
> via Apache-based servers? If yes - how did you resolve the security
aspects
> such as the one I described above?
>
> Thx,
> Stef
>
