Conversation:
Notices
-
It's more about being aware that things change. And combined with, say, comparing version numbers (jquery version x.y.z shouldn't change hash, and x.y.z++ would be trusted on first use).
-
That means googleapis.com or whatever can't silently deliver me different files if they get hacked or MITM'ed (and I assume I trust the URLs linked on the site I visit via NoScript interaction).
-
In this case I'm not the one applying updates. All the CDN based script embeddings are made with version numbers in the URL. The attack vector is an evil server thah will serve different files depending on refererer/client/randomness".
-
@zoowar Idea is: 1. I visit random .se website that doesn't think they need a CDN. They embed a third party link to http://status.hackerposse.com/url/11954 for jquery-v1.3.37.js 2. http://status.hackerposse.com/url/11954 is backdoored by whateveragency or malicious third party hacker that manipulated their way to a Verisign *.com certificate and can MITM me at the Tor …
-
@zooowar That is, most sites I visit which incorporate third party .js links will likely not be targeted by malicious hackers - but instead they can target the googleapis.com domain etc. and deliver a payload through there.
-
@zoowar That is, most sites I visit which incorporate third party .js links will likely not be targeted by malicious hackers - but instead they can target the googleapis.com domain etc. and deliver a payload through there.
-
@zoowar It'd be fun to implement something that, with a plugin that tracks content hash sums, can interpret and prioritise hashsrc="sha256:1234...cdef"
-
@zoowar because I didn't know about it, thanks!
MMN-o ✅⃠
All Hacker Poesy content and data are available under the