Isn't this splitting hairs? If Valve screwed up by misconfiguring Varnish so that it cached account pages when it shouldn't have been, that's still a "caching issue." No one's saying that "caching issue" means Valve is somehow off the hook or that Akamai/Varnish/etc. are somehow at fault.
Then let me explain again:
I don't believe it was a caching issue at all. This isn't how caches work, and you don't just "misconfigure" one to act this way. There's still the very basic matter of how servers work. For instance, despite hundreds if not thousands of IP addresses connecting to a server, you notice how you don't, oh I dunno, get randomly redirected to a page that someone else was viewing or to their account page? I mean, I understand today's events contradict that, but stay with me.
The reason why is because each server since the 80s knows how to keep a session and not randomly pass the results of requests from IP A to the user at IP B. This is incredibly basic stuff and has almost nothing to do with how a CDN or caching service works on a web server. The cache doesn't say "oh, the user at IP A loaded up their account, but I guess I'll just randomly give that same data to the user at IP B because [handwave] a "caching misconfiguration" was to blame."
Now, if someone with knowledge of web servers would like to correct me, I could certainly be wrong. I only know so much, and maybe it was a caching issue?
Well, then we're still in a pickle even if it's actually a caching issue. See, I've worked with Akamai (a CDN) and Varnish (a software cache) and ive never seen either of them haphazardly misconfigured to the point of a customer data breach. Ever. Usually they will simply fail to serve content and then the web page will show as "down". Or, if a portion of the content is on a CDN (which is how CDNs are usually used) then that content will fail o show up. This would result in -- for example -- your website loading but certain images not loading on the page.
So, if this was due to "caching" it can mean two things, both of them bad and both of them are Steam's fault:
One possibility is that Steam was storing unencrypted session data or account data on their CDN and/or through Varnish. This is pretty much unnecessary. Customer info is stored in a database, not as a large flat file like an image. There's no performance-based reason to store 20kb (yes, kilobyte) snippets of data in a cache, and especially not in an external CDN.
You'd actually want to use caching with the database engine. I don't know if they're using MariaDB or MySQL (Linux side) or MSSQL (Windows) but all of these offer caching options specifically aimed at speeding up database queries. No amount of misconfiguration would cause a query result to
get passed to another IP.
If it really is caching, it means that Valve is running one of the least-secure storefronts on the Internet. They'd have to fuck their server configurations so bad and have such terrible
website code to allow for something like this to happen.
Or it's a hack.
