Public JavaScript CDNs are useless and dangerous
Reliance on public CDNs is problematic due to security, privacy, and reliability issues. Self-hosting dependencies and private caching CDNs are recommended to enhance control and performance while mitigating risks.
Read original article
the reliance on public CDNs has become increasingly problematic due to security, privacy, and reliability issues. Initially, public CDNs were favored for their ability to improve load times and reduce bandwidth costs through shared caching. However, recent changes in web standards, such as cache partitioning and the adoption of HTTP/2, have diminished these benefits. Security vulnerabilities in major CDNs pose significant risks, as they can allow attackers to inject malicious code into widely used libraries. Privacy concerns arise from the data leakage associated with third-party resource requests, which can expose user activity to CDN providers. Additionally, public CDNs can introduce reliability issues, as they are not guaranteed to be available, and their failure can lead to a complete breakdown of dependent applications. The article advocates for self-hosting dependencies and utilizing a private caching CDN to maintain control over resources, enhance performance, and mitigate risks. This approach allows developers to avoid the pitfalls of public CDNs while still benefiting from caching and content distribution. Subresource Integrity (SRI) is mentioned as a partial solution, but it does not fully address the risks associated with public CDNs.
- Public CDNs have lost their performance advantages due to modern web standards.
- Security vulnerabilities in CDNs can lead to significant risks for web applications.
- Privacy concerns arise from third-party resource requests leaking user data.
- Self-hosting dependencies and using private caching CDNs is recommended for better control and performance.
- Subresource Integrity (SRI) offers limited protection against CDN vulnerabilities.
Related
Cloudflare automatically fixes Polyfill.io for free sites
Cloudflare replaces polyfill.io links with their mirror under cdnjs to enhance Internet safety, addressing concerns of malicious code injection. Users urged to switch to Cloudflare's mirror for improved security.
Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
A supply chain attack on Polyfill.io affected 100,000+ websites, redirecting mobile users to a betting site. Security measures like link rewriting and integrity checks are advised to mitigate risks in web development.
Identity: Self-Hosted or in the Cloud?
Authentik Security introduces open-source Identity Provider, favoring self-hosted solutions for enhanced control and pricing predictability. Shift to self-hosting challenges SaaS dominance, offering comparable reliability and security with improved manageability. Companies prioritize data privacy and flexibility, reflecting nuanced evaluation of needs.
Self Hosting 101 – A Beginner's Guide
Self-hosting involves running personal servers for control over data and services. It suits privacy-conscious individuals, tech enthusiasts, small businesses, educators, and cost-conscious users. Benefits include independence, customization, and savings. Challenges include technical complexity and security risks.
Privacy and DNS Client Subnet
The Internet's architecture has evolved with CDNs like Cloudflare's 1.1.1.1 using anycast efficiently. DNS Steering and Client Subnet raise privacy concerns but aim to optimize performance globally.
8 commentsI know this is not how most sites operate these days, but consider that your visitor wants to visit you and getting your website. Whenever you embed stuff from other servers you not only gift away your user-data and breach their trust, you just doubled your attack surface and lowered the reliability of your site. And for what exactly?
My suspicion is that developers find it easier to paste a CDN include than downloading the file and including it themselves. Because performance my ass.
That's a bit like that cookie notice thing. Guess what: if you don't collect personal data and store it on your users computer, you don't need to ask them for consent and suddenly your site looks a lot cleaner and needs to deliver less data.
When the CDN was slow, every user noticed and thought your website was slow.
You gave away free analytics and made your website worse, there wasn't even a trade off.
Supply chain attacks will cause catastrophic damages and massive internet problems one day, as they have. DDoS/outages to the cdn js/resource suppliers and websites come to a standstill. why not host your own .js files? lazy upkeep?
I don't have a solutions for it all, but better to think about solutions now than when solutions are needed because a massive hack happened at some point.
Still, I see the allure of having someone else cdn for you. They have a significantly better serving system than many of us, and it's traffic we don't have to serve.
A naive usage of cdn will have both information-leak problems and expose a security issue, as described in the article. But.
You can basically eliminate the information-leak problem by using a restrictive referrerPolicy (which can be set on fetch or a <script> tag). This will quite effectively blind the cdn to where specifically the traffic is coming from.
You can eliminate the security risk by specifying a subresource-intergrity for your assets. This will prevent the CDN from modifying the file from what you expect.
One security flaw and thousands are affected.
Maybe back to on prem would be better.
Related
Cloudflare automatically fixes Polyfill.io for free sites
Cloudflare replaces polyfill.io links with their mirror under cdnjs to enhance Internet safety, addressing concerns of malicious code injection. Users urged to switch to Cloudflare's mirror for improved security.
Over 100K+ Sites Hit by Polyfill.io Supply Chain Attack
A supply chain attack on Polyfill.io affected 100,000+ websites, redirecting mobile users to a betting site. Security measures like link rewriting and integrity checks are advised to mitigate risks in web development.
Identity: Self-Hosted or in the Cloud?
Authentik Security introduces open-source Identity Provider, favoring self-hosted solutions for enhanced control and pricing predictability. Shift to self-hosting challenges SaaS dominance, offering comparable reliability and security with improved manageability. Companies prioritize data privacy and flexibility, reflecting nuanced evaluation of needs.
Self Hosting 101 – A Beginner's Guide
Self-hosting involves running personal servers for control over data and services. It suits privacy-conscious individuals, tech enthusiasts, small businesses, educators, and cost-conscious users. Benefits include independence, customization, and savings. Challenges include technical complexity and security risks.
Privacy and DNS Client Subnet
The Internet's architecture has evolved with CDNs like Cloudflare's 1.1.1.1 using anycast efficiently. DNS Steering and Client Subnet raise privacy concerns but aim to optimize performance globally.