HOME    ABOUT    NEWS    SERVICES    PRINCIPLES    KNOWLEDGE    CAREERS    CONTACT

HTTPS Disk Cache Controller Browser Extensions


Description

In response to our study of 30 websites, which found that 21 of the sites failed to send the necessary HTTP header to prevent disk caching of content in all browsers, ISE developed a browser addon, available for the desktop version of Firefox, to allow a user to configure the browser to block disk caching of HTTPS content, regardless of any headers the server did or did not send with the response.

The Firefox add-on works by providing a user interface to control the otherwise hidden preference browser.cache.disk_cache_ssl, which controls the browser's HTTPS caching policy. The default setting in Firefox 4.0 and later, true causes all HTTPS responses to be disk cached unless the server sends the header Cache-Control: no-store. When the preference is set to false, either manually or using the interface provided by our extension, the browser does not disk cache any HTTPS content unless the server sends the header Cache-Control: public.

Installation

To install the HTTPS Cache Controller Firefox add-on:

  1. Click here to download and install the add-on.
  2. When prompted, restart the browser.

The extension adds a new toolbar button. The button displays an icon representing the current HTTPS disk caching setting, and hovering the mouse over the button displays a textual representation of the setting. Clicking the button toggles the HTTPS disk caching configuration.

The possible configurations and the corresponding icons on the toolbar are:

(check) Disk caching of HTTPS content is disabled. HTTPS content may only be cached in memory, therefore, no content remains on disk whether the browser is open or closed.
X Disk caching of HTTPS content is enabled, i.e., the browser uses the same caching policy that originally used before the extension was installed. After browsing HTTPS sites that fail to set the header Cache-Control: no-store, unencrypted copies of information accessed on those sites persists on disk, even after the browser is closed.


Case Studies
Papers/Publications
Presentations
Contact us
 

Copyright 2005-2013 Independent Security Evaluators, LLC. All rights reserved.