Are proxy servers safe to use for online banking or purchases using a credit card? Will the server save my customers' information? Will hackers have access to their info on the server?
When using a proxy server, the user is connected to the server, not the Web site in their browser, because the proxy acts as a client on behalf of the user. It uses one of its own IP addresses to request the page from the server located on the Internet. Once the page is returned, the proxy server forwards it to the user, isolating them from the Internet. If the proxy server is also a cache server, it will first look in its local cache of previously downloaded Web pages to see if it can find the requested page. If it finds the page, it sends it to the user. This avoids the need to forward the request to the Internet. If one or more sites are frequently requested, it is likely they are saved in the proxy's cache. Therefore, when pages are requested from these sites, users receive improved response times.
By default, proxy caches do not decrypt or cache encrypted pages (those delivered over an SSL connection). So, as long as pages containing sensitive information, such as credit card details, are delivered over an SSL connection, your customers' information will be not be stored on the proxy server. However, if you are responsible for the proxy server, you should check its cache settings to make sure it is not caching sensitive pages. For example, ISA Server can be configured to cache SSL response traffic that is bridged.
If you're a developer and want to ensure that some or all of your pages aren't cached, add the "Expires" attribute and set the expiration date in the past on the relevant pages. For example: <META HTTP-EQUIV="Expires" CONTENT="Thu, 01 Dec 1998 12:00:00 GMT">
Version 1.1 of the HTTP standard added a new field called Cache Control and one of the options
for this attribute is "no-cache" as in:
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
This instructs caches not to keep a copy of the representation under any condition. Two caveats, though:
- Internet Explorer does not obey this instruction for non-HTML pages such as PDF documents.
- Older browsers that only support HTTP 1.0 do not obey this instruction either.
While many developers believe that assigning a "Pragma: no-cache HTTP header" will make a page uncacheable, this is unreliable and should be avoided because, technically, it is incorrect -- the HTTP standard specifies Pragma as a header to be sent by clients when requesting a fresh copy of a page, not by servers.
Finally, both IE and Netscape have an option to cache documents locally obtained via SSL. It is important to note that if this option is enabled, anyone who gains access to the computer could read any personal information contained within the document because again, it will be stored in the browser's cache.
This was first published in December 2005