4

Suppose that we create a sensitive file as a HTML document, and then view that file with a web browser such as Firefox, or other.

Is it possible that the file is treated as if it were a document fetched over HTTP or HTTPS, and stored in the browser's cache?

If this is the case, we have to wipe the browser's cache and shred the free disk space in order to be sure that the secure document is gone, making it inconvenient to use that browser as a reader for secure documents.

Are there any browsers, or specific versions of browsers on specific platforms, which have such a dumb behavior (and should not be used, for instance, as tools for viewing temporarily decrypted sensitive documents?)

Kaz
  • 2,303
  • 16
  • 17

2 Answers2

1

Local files are not treated any differently from Internet sourced files in terms of caching, temp files, etc.

If you use a system file change tool and open a local *.html file you will see that all sorts of files across the system are modified or at least opened. I tried a test file on a local drive in both IE and FireFox and it looks like a few files were modified. I would recommend you do further testing, but I see not reason why local files wouldn't be cached, etc. Just because they are local does not mean the browser does not need to store data or information from the page temporarily, in history, etc.

You can try a few different file/folder change monitoring tools:

I would generally not think HTML is the best thing to use for secure documents. The documents are not going to be secured at rest and there could be malicious plugins or other software within the browser. I would recommend using PDF with strong encryption/passwords. A lot of virtual printers (e.g. will print to PDF) include the ability to add AES level security, one such program is PDFCreator. In that way the file is secure at rest as well. I do not believe there is any caching in Adobe Acrobat or Adobe Reader, but I will have to double check on that, and could not comment on other PDF readers.

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • Actually, they are treated very differently. Since there is no meta-data associated with them they should not be retrieved from the cache (although older versions of MSIE not only write the file to the cache but read t from there in preference to the origin). While HTTP is covered by lots of specs I am not aware of any describing local files access. i.e. you should expect them to behave inconsistently – symcbean Sep 08 '13 at 18:05
  • I have to setup a clean VM to ensure that all caching and temp files were related to the specific local file, but from this Q: http://webmasters.stackexchange.com/questions/18351/when-opening-a-local-html-file-how-do-i-ensure-i-get-the-content-not-a-cached-v I am not sure if a local file wouldn't be cached, the browser's local cache, tmp files, etc may still be more efficient then rereading the original file. There are also session management features in some browsers either native or via plugin. There is a high likelihood that the data will be stored in places you do not expect. – Eric G Sep 08 '13 at 18:45
1

Yes, all browsers cache files locally. This is why clicking the "back" button loads pages very quickly, it only has to poll from the local disk.

The servers themselves can dictate the caching policy such that no local caches of the data are saved. This is common for high-security sites like banks.

The privacy mode of the browsers will delete all caches after exiting. IE can optionally prevent all encrypted pages from being saved to disk via Internet Options -> Advanced -> Security -> “Do not save encrypted pages to disk.”

I suspect that Firefox and Chrome have similar internal settings as well. If not, I can't imagine that there isn't an add-on you could install.

If you like, you could try sand-boxing other applications from accessing these caches. Most anti-virus and anti-malware utilities offer to clean out internet caches. You could set these up on your customers machines to periodically scan and clean these caches.

Indolering
  • 852
  • 6
  • 21
  • 1
    This questions about whether a local file is treated **as if** it were fetched over HTTP; it is not about web documents that are **actually** fetched over HTTP (for which we take it for granted there is caching). Imagine you have a `.html` file on your PC and you open it. Does the browser copy the data somewhere, other than its necessary in-memory copy? I don't think it would help performance since the file is already local. – Kaz Sep 08 '13 at 22:59