Next: 7 Sign-On Minimisation Up: The awayWEB Virtual VPN Previous: 5 Fine Grained Access
Web browsers store a history of URLs that the user has visited during any given browsing session. Once a user quits the browser, the history remains and can be examined by any future user of the PC. URLs from a corporate intranet may contain information that is of interest to attackers. This information may include the names of internal servers, the names of directories and folders on those servers and the names of individual pages. Leaving such information on an unprotected public PC in an Internet cafe should be regarded as a security risk. (Figure 4)
The AwayWEB system uses 'URL encryption' to eliminate this risk. As the awayWEB system performs the HAT function (section 1), it encrypts the URL into a meaningless string before it is sent to the client browser. This string is meaningless to all but the originating awayWEB system, where is it used to recover the original intranet URL.
Each entry in the 'history' of a browser normally records not only the URL of a page, but also the '<TITLE>' element assigned to the page. The list of page titles is in itself a valuable source of corporate information. Commonly, titles will include the names of documents viewed, the subjects of emails or the results of data entry on an internal system.
AwayWEB is configured to remove the <TITLE> elements from each page as content goes through the HAT process. The result is that the browser history no longer records the title of each page. When combined with the URL encryption feature, the history shows only scrambled URLs and blank page titles. (Figure 5)
Browser clients make heavy use of local caching of HTML, images and other content to improve the speed of Internet browsing. This is desirable for general Internet browsing, but it represents a privacy risk to confidential corporate information. Intranet documents that are stored in the cache of the browser are written to the hard disk of the client machine and remain accessible once the user has logged out. These files remain accessible to any subsequent user of the PC, for an indefinite period of time.
Web applications have the ability to instruct the client browser that particular content is not be stored in the cache. Each applications must be specifically written or modified to send the appropriate control information. Often it is difficult or impossible to configure this feature for static content (such as plain HTML pages and images).
The awayWEB system can add the required Cache Control information to all content as it passes through the system. This Cache Control information instructs the browser to not cache content on the local hard disk. This reduces the risk of disclosure once the user session is completed.
Preventing caching of all content could have adverse affects on web site performance, especially if the site is designed with graphical interface or utilises a large number of icons, bullets or other images for decoration. In order to minimise performance impact, the awayWEB system can be configured to allow or deny caching of images based upon their file size. For example, small images less than 2k could cached, as they are probably buttons and icons, whereas large images greater than 2k are probably important diagrams, charts or photographs, and should therefore not be cached.
