Windows Vista Tips

Windows Vista Tips > Newsgroups > Internet Explorer > Do not save encrypted pages to disk

Reply
Thread Tools Display Modes

Do not save encrypted pages to disk

 
 
hdjur
Guest
Posts: n/a

 
      04-02-2007
I'm interested in details about option "Do not save encrypted pages to disk",
and disk cache in general.
IE supports several protocols for data gathering: http, https, ftp,
gopher,...
When retreived via https, data is decrypted in order to be displayed in
browser.
In that case, automatic cacheing mechanism saves ENCRYPTED pages into
special folder "Temporary Internet files", right? Is there a way to observe
encrypted pages in that cache, or only those that were not encrypted, or were
decrypted (if these are saved that way there at all)?
If pages are cached for performance reasons, wouldn't it be reasonable to
save them decrypted, in order to avoid decryption overhead? Security issue
for saving confidential data to disk exists in any case, unauthorized user
may use brute force method to decrypt files if he has unrestricted access to
them and is willing to do that.
And that's what observed option is used for, to avoid saving confidential
data to disk, if retreived over secure link? Is there the same policy for all
file types (extensions) regarding that matter?
What was the exact MS's intention, which IE behaviour to control with that
option?
It namely affects conscious, intended saving initiated by user too (using
option "Save Target As...", "Save As..."), it affects viewing the page
source, export of data etc. In version 7 it is regular behaviour that this
option has to be turned off to enable this actions, which by the way are used
to save or access DECRYPTED data, definetly. In lower versions, at least in
most of their updates, it is even not possible to save non html content (for
example xml) retreived via https, regardless of this option setting, because
of an obvious bug.
In MS knowledge base there is a workaround for this issue:
http://support.microsoft.com/kb/323308/en-us
which suggests that when there is "no cache" directive in http response
header, received over SSL, BypassSSLNoCacheCheck registry entry should be
added. Otherwise, "download is not possible". On the other hand, if the
original intention was to control automatic cache, if IE user is not aware of
that it is necessary to delete cache when downloading confidential data, will
he be aware of, or able, to check/set this option in IE on a public work
station, to protect himself from undesired file saving?
Are there any issues in version 7 with a disk cache? Sometimes I can't
delete temporary
files, sometimes when I delete them, nothing is saved anymore. I never
experienced such things
in version 6.
 
Reply With Quote
 
 
 
 
Dean Earley
Guest
Posts: n/a

 
      04-02-2007
hdjur wrote:
> I'm interested in details about option "Do not save encrypted pages
> to disk", and disk cache in general. IE supports several protocols
> for data gathering: http, https, ftp, gopher,... When retreived via
> https, data is decrypted in order to be displayed in browser. In that
> case, automatic cacheing mechanism saves ENCRYPTED pages into special
> folder "Temporary Internet files", right?


No, all files in this folder are unencrypted and in their native format.
The SSL/secure part is ONLY on the TCP connection to stop it being
viewed in the highly unlikely event of it being intercepted.
(It is still possible to decrypt in some situations and if you get the
entire conversation)

Setting that option means it doesn't cache them at all (Hence the view
source being disabled).

--
Dean Earley ()
i-Catcher Development Team

iCode Systems
 
Reply With Quote
 
 
 
 
hdjur
Guest
Posts: n/a

 
      04-03-2007
Thanks Dean for your answer. Any comments on Microsoft intentions with this
option? If I use "Save Target As..." it means I'm aware of saving to a local
disk, why would this setting prevent me from performing this deliberate
action, anyway?
If this is supposed to prevent automatic cacheing when downloading via SSL,
it shouldn't be possible to turn it off, for previously described reasons. Or
not? Would someone please shed some light on this?

"Dean Earley" wrote:

> hdjur wrote:
> > I'm interested in details about option "Do not save encrypted pages
> > to disk", and disk cache in general. IE supports several protocols
> > for data gathering: http, https, ftp, gopher,... When retreived via
> > https, data is decrypted in order to be displayed in browser. In that
> > case, automatic cacheing mechanism saves ENCRYPTED pages into special
> > folder "Temporary Internet files", right?

>
> No, all files in this folder are unencrypted and in their native format.
> The SSL/secure part is ONLY on the TCP connection to stop it being
> viewed in the highly unlikely event of it being intercepted.
> (It is still possible to decrypt in some situations and if you get the
> entire conversation)
>
> Setting that option means it doesn't cache them at all (Hence the view
> source being disabled).
>
> --
> Dean Earley ()
> i-Catcher Development Team
>
> iCode Systems
>

 
Reply With Quote
 
Dean Earley
Guest
Posts: n/a

 
      04-04-2007
The ONLY option it disables for me is "View source".
Save target as, Save picture as, etc are all enabled and working fine.

This option ONLY effects whether it saves it in the cache.

hdjur wrote:
> Thanks Dean for your answer. Any comments on Microsoft intentions with this
> option? If I use "Save Target As..." it means I'm aware of saving to a local
> disk, why would this setting prevent me from performing this deliberate
> action, anyway?
> If this is supposed to prevent automatic cacheing when downloading via SSL,
> it shouldn't be possible to turn it off, for previously described reasons. Or
> not? Would someone please shed some light on this?
>
> "Dean Earley" wrote:
>
>> hdjur wrote:
>>> I'm interested in details about option "Do not save encrypted pages
>>> to disk", and disk cache in general. IE supports several protocols
>>> for data gathering: http, https, ftp, gopher,... When retreived via
>>> https, data is decrypted in order to be displayed in browser. In that
>>> case, automatic cacheing mechanism saves ENCRYPTED pages into special
>>> folder "Temporary Internet files", right?

>> No, all files in this folder are unencrypted and in their native format.
>> The SSL/secure part is ONLY on the TCP connection to stop it being
>> viewed in the highly unlikely event of it being intercepted.
>> (It is still possible to decrypt in some situations and if you get the
>> entire conversation)
>>
>> Setting that option means it doesn't cache them at all (Hence the view
>> source being disabled).

 
Reply With Quote
 
hdjur
Guest
Posts: n/a

 
      04-19-2007
Did you try to save non html content (for example xml) retreived via https?
Because, as you can see, I didn't say saving html is not possible.

"Dean Earley" wrote:

> The ONLY option it disables for me is "View source".
> Save target as, Save picture as, etc are all enabled and working fine.
>
> This option ONLY effects whether it saves it in the cache.
>
> hdjur wrote:
> > Thanks Dean for your answer. Any comments on Microsoft intentions with this
> > option? If I use "Save Target As..." it means I'm aware of saving to a local
> > disk, why would this setting prevent me from performing this deliberate
> > action, anyway?
> > If this is supposed to prevent automatic cacheing when downloading via SSL,
> > it shouldn't be possible to turn it off, for previously described reasons. Or
> > not? Would someone please shed some light on this?
> >
> > "Dean Earley" wrote:
> >
> >> hdjur wrote:
> >>> I'm interested in details about option "Do not save encrypted pages
> >>> to disk", and disk cache in general. IE supports several protocols
> >>> for data gathering: http, https, ftp, gopher,... When retreived via
> >>> https, data is decrypted in order to be displayed in browser. In that
> >>> case, automatic cacheing mechanism saves ENCRYPTED pages into special
> >>> folder "Temporary Internet files", right?
> >> No, all files in this folder are unencrypted and in their native format.
> >> The SSL/secure part is ONLY on the TCP connection to stop it being
> >> viewed in the highly unlikely event of it being intercepted.
> >> (It is still possible to decrypt in some situations and if you get the
> >> entire conversation)
> >>
> >> Setting that option means it doesn't cache them at all (Hence the view
> >> source being disabled).

>

 
Reply With Quote
 
hdjur
Guest
Posts: n/a

 
      04-19-2007
More accurate is to say that using "Save as ..." works for html but not for
xml,
and "Save Target as ..." does not work for both content types - it reports
this message:

"The file could not be written to the cache."

"Save as ..." does not complain about anything, it just doesn't save the
file to the intended destination folder in case of xml.

"hdjur" wrote:

> Did you try to save non html content (for example xml) retreived via https?
> Because, as you can see, I didn't say saving html is not possible.
>
> "Dean Earley" wrote:
>
> > The ONLY option it disables for me is "View source".
> > Save target as, Save picture as, etc are all enabled and working fine.
> >
> > This option ONLY effects whether it saves it in the cache.
> >
> > hdjur wrote:
> > > Thanks Dean for your answer. Any comments on Microsoft intentions with this
> > > option? If I use "Save Target As..." it means I'm aware of saving to a local
> > > disk, why would this setting prevent me from performing this deliberate
> > > action, anyway?
> > > If this is supposed to prevent automatic cacheing when downloading via SSL,
> > > it shouldn't be possible to turn it off, for previously described reasons. Or
> > > not? Would someone please shed some light on this?
> > >
> > > "Dean Earley" wrote:
> > >
> > >> hdjur wrote:
> > >>> I'm interested in details about option "Do not save encrypted pages
> > >>> to disk", and disk cache in general. IE supports several protocols
> > >>> for data gathering: http, https, ftp, gopher,... When retreived via
> > >>> https, data is decrypted in order to be displayed in browser. In that
> > >>> case, automatic cacheing mechanism saves ENCRYPTED pages into special
> > >>> folder "Temporary Internet files", right?
> > >> No, all files in this folder are unencrypted and in their native format.
> > >> The SSL/secure part is ONLY on the TCP connection to stop it being
> > >> viewed in the highly unlikely event of it being intercepted.
> > >> (It is still possible to decrypt in some situations and if you get the
> > >> entire conversation)
> > >>
> > >> Setting that option means it doesn't cache them at all (Hence the view
> > >> source being disabled).

> >

 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OT: Beware/Do not trust "Do not save encrypted pages to disk" setting. Allan Internet Explorer 0 05-13-2008 12:59 AM
"Save As..." in IE7 sometimes does not save web pages Greg Internet Explorer 1 07-13-2007 12:18 AM
"Do not save encrypted pages to disk" option and GET / POST reques tom kmec Internet Explorer 0 05-21-2007 10:43 AM
Backing up Bitlocker Encrypted Drive Equals Not Encrypted markbyrn Windows Vista Security 4 03-19-2007 02:33 AM
encrypted pages 2h4y Windows Vista Networking 0 02-26-2007 11:47 PM