Security issues: why you shouldn’t load JavaScript via SSL from a third-party CDN?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Imagine you have an online store that offers brand new gadgets, and users provide their credit card numbers to make the purchases. You put their security and privacy on pedestal and apply SSL for all traffic and spend stacks of money have you SSL certificate to be signed by one of the most well-trusted certificate authorities. Users can be sure that they communicate with your website, not some other web-source pretending to be your company.

To create the infrastructure you use FooLib, an open source JavaScript library. It’s a great solution provided by FooCo, a giant in the sphere of Net technologies. The enterprise even offers hosted versions of FooLib on their strikingly quick content delivery network (CDN), so anyone can host their JavaScript on their servers.

Since browsers show a warning when you transfer a page with mixed HTTP and HTTPS content, you prefer serving FooLib over SSL. No one wants to put visitors off with annoying and dreadful security warnings. Good news: FooCo’s CDN works with SSL, so your visitors don’t have to look on these nagging security warnings anymore.

Now comes the bad news: you’re not totally sincere with your users, and your super-pricey SSL certificate bought from the most recommended company is almost worthless. Why so? Because now FooCo can execute any JavaScript on your website. Yes, your JavaScript is transferred securely over SSL, and browser doesn’t display any warnings, but users would also communicate with cdn.foolib.com that runs JavaScript on your website. It means that they have access to any information that users enter and read on your pages.

It’s not FooCo to blame: all in all, it’s a solid and trustworthy company that would never steal clients’ credit card numbers. They provide excellent services to the community wholeheartedly, without persecuting unfair goals. However, you still deceive your end-users. The presence of SSL certificate means the visitor is safe, and nobody else can decrypt the communications.

But when you load FooLib from FooCo’s CDN network you unintentionally invite the third party, FooCo. It has its own certificate also signed by a reliable certificate authority, but your users don’t want to share their information with anyone else – it’s should be available only for your website. By inviting FooCo to the interaction without warning visitors about it you break the contract that was implied by your site’s SSL certificate. The user is soothed by the lock icon on the URL bar, but it’s a lie.

Of course, you stay innocent till proven guilty. If the information your users provide is not compromised, no one minds that. But you’re not indemnified against the loss of data and other accidents. If your customers and users are important for you, don’t load JavaScript from the third-party CDN services, even if they support SSL certificates granted by the most well-established companies.

Come clear, security is always a compromise. You have to sacrifice some convenience for security. Some websites would like to share their customers’ private information with third party CDNs like FooCo, because it’s a more convenient option than hosting JavaScript locally. However, it’s a decision down to you.

Now imagine yourself at your user’s place and decide: would you accept the fact that your confidential information is made available to other companies without your consent? Even if it doesn’t cause harm, there’s always a minor risk of accidents.

Vadim Kolchev

52 publications

Vadim has graduated from Moscow Institute of Entrepreneurship and Law as finance and credit specialist. Prior to starting to work in hosting business directly, he occupied various roles in several companies, including but not limited to banking sphere and sports. As of 2015 he works for INXY Holding, with SpaceCDN being a vital part of the hosting branch of its business. Being tech enthusiast, he has started writing articles about dedicated servers, CDN, storage solutions and other hosting services long ago, and since then accumulated a lot of experience and knowledge in the field. Building hosting sales and support departments from scratch has added even more experience and knowledge and allowed to see the business from the inside and build required expertise. Now Vadim is CPO and COO of a successful hosting business. Having several important interviews and publications at platforms such as Hosting Journalist and Forbes, he continues to share knowledge about this branch of technology that has become not only his job but also a passion.

Learn more about us
in social networks