Hi,
The following is a compliant from one of the users in our Corporation.
I notice that some secured html's are generation from cgi-win, cgi-shl ,
etc. Therefore, using only "cache_stoplist cgi-bin ?" may not be too
effective. I wonder how I can stop caching all POST objects instead.
Thanks in advance
Peter Woo
Ontario Hydro
(peter.woo@hydro.on.ca)
------------------------------------------------------------------------
------
Problem:
Quirks in either Hydro's implementation of caching or in other sites'
interpretation of how caching works, has allowed the ability for
complete strangers (in Hydro) to view your confidential bank accounts.
Statement
Two weeks ago, we were setting up My Yahoo (a customized web page) for
somebody (strictly technical news :). After setting up, we were quite
surprised to get somebody else's web page. Ha, ha we thought, and it
never happened again.
Now I've been informed that somebody was checking their Bank of Montreal
web bank account. This is fairly heavily protected by user name and
password. Lo and Behold, he came up with somebody else's (in Hydro)
bank account! This fellow almost came to blows accusing that person of
using his PC at night! :)
What is happening here? I believe that MBANX is probably being slack
about caching and the use of common ip firewalls, but we are probably
caching something that shouldn't be cached.
Until this is resolved, I recommend that web accounts be only checked at
home.
------------------------------------------------------------
Received on Fri Feb 14 1997 - 10:45:33 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:27 MST