bootstrapcdn needed?

bootstrapcdn needed?

Postby notareal » Sun Dec 08, 2013 9:18 am

Is using bootstrapcdn really needed? Just a reminder what may happen... this kind of solutions do open risk for a injection attack.

Postmortem of the exploit can be found in following. Warning some antivir software may go ballistic.
Code: Select all
https://github.com/MaxCDN/bootstrap-cdn/issues/128
http://blog.maxcdn.com/bootstrapcdn-security-post-mortem/
0
Last edited by notareal on Mon Dec 09, 2013 3:12 pm, edited 2 times in total.
Welcome to try Thea Render, Thea support | kerkythea.net -team member

notareal 
Thea Render Support
Thea Render Support
 

Re: bootstrapcdn needed?

Postby Frederik » Sun Dec 08, 2013 9:59 am

As soon as I click that link, Notareal, my AVG goes nuts... :shock:

@Mods: Please remove that link...!!
0
Cheers
Kim Frederik
User avatar
Frederik 
Thea Render Support
Thea Render Support
 

Re: bootstrapcdn needed?

Postby Gábor » Sun Dec 08, 2013 11:22 am

SketchUcation uses BootrstrapCDN to serve the font icons used on the site. Using a CDN instead of loading the server with serving this font-file means less server-load and therefore faster page-load.

This is the first time I hear about using this CDN for an attack. As I see in the quoted article after the incident the operator of the CDN increased security, so the probability of such cases is reduced now.

However if members of the SketchUcation community feel more comfortable not using bootstrapcdn, we can serve those files from the SketchUcation server without any use of bootstrapcdn.

To find it out: Please vote thumb-up on this post if you would feel more comfortable if we served the files from the own server. Please vote thumb-down if you are satisfied with the current setup. If the overall result is 10 or more we'll get rid of bootstrapcdn at the SketchUcation site.
-1

Gábor 
 

Re: bootstrapcdn needed?

Postby Gábor » Sun Dec 08, 2013 8:13 pm

As I see the voting results as per now, we will continue to utilize the CDN.
0

Gábor 
 

Re: bootstrapcdn needed?

Postby notareal » Mon Dec 09, 2013 3:11 pm

Call me paranoid... but I prefer not to use this kind of 3rd party loading. I'd never had any serious slow down issues with sketchucation. Anyhow, you are informed about the risk.

Frederik, it's link to postmortem of the exploit, so I have to assume some antivir software may go ballistic. I'll add a warning.
0
Welcome to try Thea Render, Thea support | kerkythea.net -team member

notareal 
Thea Render Support
Thea Render Support
 

Re: bootstrapcdn needed?

Postby notareal » Sat Jan 18, 2014 2:43 pm

Just a heads up, "Surf with caution rating" on bootstrapcdn.com at http://www.avgthreatlabs.com/website-sa ... rapcdn.com

Have to ask again, is it really needed to use so much 3rd party scripts with sketchucation? The site is on the top5 tech site I do use, but I really wish that site itself where build so that there are less options for cross-site scripting attacks.

About the voting on some mealier post. I don't think this is a matter of voting (For website is a question how site owner considers security to be important with relations to it's customers), as it's so easy to cast a vote by just based on a feeling. But like I in opening post warned, there been security issues with bootstrapcdn.com and now month later the site is rated "Surf with caution rating". For me it stays blocked by no script...

There also 3rd party scripts from metacdn.com that luckily seems to have a better record with safety, but blocking those scripts will break forum... so I am now in a situation, where I need to consider if sketchucation is more important for me than security I tend to keep when surfing the web. No judgement yet... but for last months track is not good in that are of the site.
0
Welcome to try Thea Render, Thea support | kerkythea.net -team member

notareal 
Thea Render Support
Thea Render Support
 

SketchUcation One-Liner Adverts

by Ad Machine » 5 minutes ago



Ad Machine 
Robot
 



 

Return to Ideas Box & Board Issues

Who is online

Users browsing this forum: No registered users and 2 guests

Visit our sponsors: