Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The reason it is powerful is not this particular attack. It's a demonstration that they are willing and able to inject malicious responses to any request going to a Chinese resource (web site, analytics service, ads, etc.). Imagine if instead of returning some DoS javascript they deliver a payload to silently exploit a vulnerability in your browser/OS (and they are surely capable of finding or purchasing those) to do whatever they want with it:

- Add it to a botnet

- Steal your personal data

- Infiltrate your corporate network

- Wipe your system (punishment for those accessing or producing GFW circumvention software)

Are you confident your browser never makes HTTP requests to Chinese servers? Are there tools we can install to prevent it?

[EDIT: It looks like two separate HN stories got merged, and the comments along with them. Didn't know that could happen, but this comment now appears twice here.]



Forgive my ignorance, if anyone knows of an initiative that does what I am about to suggest... It's an idea off the top of my head, without too much thought: Is it about time we start to sign our javascript so that browsers will only execute the JS if it can verify the signature? I know, there are so many drawbacks, especially for those of us who are developers, but I'd value security on the Internet over the additional development overheads.

Or depreciate HTTP and enforce HTTPS only?


It crops up occasionally, the issue has always been the effort of client support, and that it only anchors the validity to that of the document referencing the javascript (or whatever).

These days there's an active spec underway for "Subresource Integrity" at w3: http://www.w3.org/TR/SRI/, which is pretty much exactly that, so hopefully it'll happen eventually.


Thanks for the link :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: