5

I think this question arises primarily from my insufficient understanding of browser caching. Let's log in to ProtonMail, and read a message. My understanding is that an encrypted 'blob' of data gets downloaded by my browser, and it gets decrypted locally. Can ProtonMail ensure my browser will not cache the text, readable after the decryption? Can I ensure it with some straightforward local method, preferably without plugins?

I did not specify any web browsers.

  • Specifically, what caching mechanism are you concerned about? See the comments below; I don't think HTTP caching would apply. – multithr3at3d May 07 '18 at 23:24

1 Answers1

2

ProtonMail use the following header in his replies :

Cache-Control: no-store, no-cache, must-revalidate, max-age=0

According to the standards :

no-store

The cache should not store anything about the client request or server response.

Thus, the data downloaded should not be cached.

Xavier59
  • 2,874
  • 3
  • 17
  • 34
  • 1
    I think the caching here doesn't have to do with the server at all, assuming that the content is decrypted by JavaScript. – multithr3at3d May 07 '18 at 17:48
  • @multithr3at3d you are right, maybe the `no-store` directive also affect javascript memory mangment tho. On another note, maybe ProtonMail is using some mechanism to rewrite some memory even if I doubt about it. I think the way to go about it since this is about a specific product is to email ProtonMail. I did send them a mail linking to this question. – Xavier59 May 07 '18 at 18:30
  • Thank you. I pondered on the idea of contacting them, but why bother anyone when there is a great stackexchange community? :) Now I see they send this header; hopefully all of the popular browsers stick to this practice and won't store anything that is decrypted, at least in this case. – Guest_Guestovich_Guestovsky May 08 '18 at 08:26