Bootstrapcdn needed?

notareal · 8 Dec 2013, 08:18

Is using bootstrapcdn really needed? Just a reminder what may happen... this kind of solutions do open risk for a injection attack.

Postmortem of the exploit can be found in following. Warning some antivir software may go ballistic.


https://github.com/MaxCDN/bootstrap-cdn/issues/128
http://blog.maxcdn.com/bootstrapcdn-security-post-mortem/

Frederik · 8 Dec 2013, 08:59

As soon as I click that link, Notareal, my AVG goes nuts...

@Mods: Please remove that link...!!

Gábor · 8 Dec 2013, 10:22

SketchUcation uses BootrstrapCDN to serve the font icons used on the site. Using a CDN instead of loading the server with serving this font-file means less server-load and therefore faster page-load.

This is the first time I hear about using this CDN for an attack. As I see in the quoted article after the incident the operator of the CDN increased security, so the probability of such cases is reduced now.

However if members of the SketchUcation community feel more comfortable not using bootstrapcdn, we can serve those files from the SketchUcation server without any use of bootstrapcdn.

To find it out: Please vote thumb-up on this post if you would feel more comfortable if we served the files from the own server. Please vote thumb-down if you are satisfied with the current setup. If the overall result is 10 or more we'll get rid of bootstrapcdn at the SketchUcation site.

Gábor · 8 Dec 2013, 19:13

As I see the voting results as per now, we will continue to utilize the CDN.

notareal · 9 Dec 2013, 14:11

Call me paranoid... but I prefer not to use this kind of 3rd party loading. I'd never had any serious slow down issues with sketchucation. Anyhow, you are informed about the risk.

Frederik, it's link to postmortem of the exploit, so I have to assume some antivir software may go ballistic. I'll add a warning.

notareal · 18 Jan 2014, 13:43

Just a heads up, "Surf with caution rating" on bootstrapcdn.com at http://www.avgthreatlabs.com/website-safety-reports/domain/bootstrapcdn.com

Have to ask again, is it really needed to use so much 3rd party scripts with sketchucation? The site is on the top5 tech site I do use, but I really wish that site itself where build so that there are less options for cross-site scripting attacks.

About the voting on some mealier post. I don't think this is a matter of voting (For website is a question how site owner considers security to be important with relations to it's customers), as it's so easy to cast a vote by just based on a feeling. But like I in opening post warned, there been security issues with bootstrapcdn.com and now month later the site is rated "Surf with caution rating". For me it stays blocked by no script...

There also 3rd party scripts from metacdn.com that luckily seems to have a better record with safety, but blocking those scripts will break forum... so I am now in a situation, where I need to consider if sketchucation is more important for me than security I tend to keep when surfing the web. No judgement yet... but for last months track is not good in that are of the site.