undefined | Better HN

0 pointstorstenvl2mo ago0 comments

Completely agree. This is really unique. Can you imagine if it were standard practice to be open to supply chain attacks like that, by blindly relying on hotlinked or unpinned dependencies?

0 comments

7 comments · 1 top-level

trimethylpurine2mo ago· 6 in thread

Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.

Boostrap (code snippet from their quick start instructions): ``` <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Bootstrap demo</title> <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootst..." rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous"> </head>

Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!

HTMX (code snippet from their quick start guide): ``` <script src="https://cdn.jsdelivr.net/npm/htmx.org@2.0.8/dist/htmx.min.js"></script>  <button hx-post="/clicked" hx-swap="outerHTML"> Click Me </button> ```

Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!

Look, I certainly don't think they should be used this way. But, to say that it's unique to the White House app? I definitely wouldn't say that. In fact, I think you've dangerously overestimated the status quo.

habinero2mo ago

They have not. CDNs are specifically meant for demo/non-critical usage, to make it easy for amateurs to try out the library.

You don't do this in any non-trivial system.

trimethylpurine2mo ago

According to FontAwesome you're wrong. Their instructions say that their CDN is the recommended way to use their kits.

So, it's nice that you don't do this. But there's nothing special about the White House app doing it. It's very common.

torstenvlOP2mo ago

I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.

I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.

Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.

trimethylpurine2mo ago

Awesome. Now that I know you were being sarcastic it's hilarious. It's amazing how difficult it is to tell from text.

magackame2mo ago

Huh? But there are integrity checks (none in htmx case, which is strange), to prevent exactly this attack.

trimethylpurine2mo ago

I'm not sure I follow. How does an integrity check help when the source is compromised? The developer doesn't know that their repo is compromised. They continue posting legitimate hashes because the repo is legitimately compromised.

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

trimethylpurine2mo ago· 6 in thread

Why imagine? Let's take a quick look at what's actually happening right now. We can check some widely used libraries and see what their instructions are teaching new developers.

Pay close attention, they are inviting the new developer to link not just to Bootstrap, but to Popper!

Fontawesome: A video quick start guide and instructions that recommends using the direct link to the kits via CDN for performance!

habinero2mo ago

They have not. CDNs are specifically meant for demo/non-critical usage, to make it easy for amateurs to try out the library.

You don't do this in any non-trivial system.

trimethylpurine2mo ago

According to FontAwesome you're wrong. Their instructions say that their CDN is the recommended way to use their kits.

So, it's nice that you don't do this. But there's nothing special about the White House app doing it. It's very common.

torstenvlOP2mo ago

I was being sarcastic. Although hot linking is not particularly common, it's common enough; and unpinned dependencies are just as much if not more of a supply chain attack risk.

I'd bet something like 70+% of all JS apps are inadequately protected against the risk of a malicious actor gaining access to a dependency's repo.

Pearlclutching over this while ignoring the lessons of `left-pad` and `colors` is biased motivated reasoning at best.

trimethylpurine2mo ago

Awesome. Now that I know you were being sarcastic it's hilarious. It's amazing how difficult it is to tell from text.

magackame2mo ago

Huh? But there are integrity checks (none in htmx case, which is strange), to prevent exactly this attack.

trimethylpurine2mo ago

j / k navigate · click thread line to collapse