My ISP responded to my request with another user's content, is that permissible? And if not, how can I prove it?

Over the past 3 months, I've had two instances when I visited stackoverflow.com only to discover myself logged in as a completely different user. This seems to have happened to others as well. In that question, the answerer writes:

your ISP illegaly responded to your request(s) with content it had previously requested on behalf of a different user

And indeed, that user is sharing the same ISP with me. There's no doubt there's some very serious privacy issue here - specifically, I was able to access that user's account page and see his personal details (such as e-mail), and if it happens one way, I wouldn't be surprised if that user is occasionally logged-in as me and can see my personal details.

That answer, however, writes that my ISP is doing something illegal. Is my ISP actually doing something wrong here, or is such "overzealous" caching permissible under whatever protocols govern this? Is it ultimately the website's (stackoverflow's) fault for not supporting encryption (https) for displaying sensitive pages with sensitive user information?

And if my ISP is indeed in the wrong here, is there any way I can produce some sort of incriminating report next time it happens, so I will have something concrete to send them to complain, or send the press if they ignore me? I should note that during the two times it had happened, subsequent requests did not always fix the situation, the "returning bad page" thing seemed to have lasted a few minutes.

Oak

Posted 2012-05-02T19:51:10.737

Reputation: 1 255

Answers

That answer, however, writes that my ISP is doing something illegal.

The answer uses "illegal" to mean "wrong" - they don't imply that in any particular location the government enforces Internet Protocol requirements as part of criminal law.

Is my ISP actually doing something wrong here,

Yes, they are probably deliberately ignoring Internet standards (RFCs) in order to conserve bandwidth, reduce their costs and increase shareholder profits at the expense of their customers.

or is such "overzealous" caching permissible under whatever protocols govern this?

No, the RFCs use (and define) words like "MUST" for this sort of thing.

It is possible for this sort of experience to be caused by server-end bugs but I would be very surprised if Superuser had made a negligent error of this sort. Like many websites, Superuser login status is very likely based on session-cookies, not simply on client IP-addresses (that would imply a level of stupidity at Superuser which I strongly believe is simply not credible)

RedGrittyBrick

Posted 2012-05-02T19:51:10.737

Reputation: 70 632

Would you mind being more specific about the RFCs being violated? – Oak – 2012-05-02T20:25:22.387

@Oak: RFC2616 "The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain."

– RedGrittyBrick – 2012-05-02T20:46:59.077

Thanks! Actually it seems that stackoverflow's response is marked public, max-age=120, and according to that RFC, pages marked public can indeed be cached and are not specific to a single user... – Oak – 2012-05-02T21:05:23.103

@Oak: Some of the many responses that go to complete a Superuser web page are "public", but I believe some are "private" (based on a short examination using Wireshark - but Superuser pages are fairly complex) e.g. "GET /posts/419790/ivc/6134?_=1338987622151 HTTP/1.1" response: "Cache-Control: private" – RedGrittyBrick – 2012-05-02T21:13:24.380

Looks like what my ISP is not respecting is the Vary field, also defined in that RFC. Thanks for the help! – Oak – 2012-05-02T22:48:14.997

-3

It's more likely that you have a dynamic IP address and that stackoverflow uses that as a way to sign in. That fact that you are on the same ISP as the other user is a big clue in that.

While it is possible that the ISP is grabbing cookies the amount of processing and storage required is not really worth the effort, especially if they are "snooping" on your stackoverflow sessions. Banking would be a different issue.

rawb

Posted 2012-05-02T19:51:10.737

Reputation: 33

2If SO is using the IP address as a way to sign in, it's badly broken. I find it hard to imagine a reputable site would do anything that stupid. (Though, of course, if that was the cause, the ISP wouldn't be to blame at all.) – David Schwartz – 2012-05-02T20:04:18.003