CDN 交付 jQuery 的安全性如何?
我们构建的网站具有公共(非安全)区域和安全(通过 HTTPS 交付)区域,并且我们使用 jQuery 库。
最近我建议我们使用 Google CDN 进行 jQuery 交付。我的一些同事对这种交付 JavaScript 库的方式的安全性表示担忧。
例如,他们提到有人可能劫持 DNS 服务器,然后注入恶意修改的库,从而为不同的安全攻击打开了大门。 现在,如果黑客可以通过 Google CDN 注入恶意代码,那么如果网站本身提供 jQuery,他也可能会做同样的事情,对吗?
谷歌 CDN 似乎支持通过 SSL 提供库服务。
从 CDN 提供 jQuery 真的不如从服务器本身提供服务安全吗?这种威胁有多严重?
We build sites that have a public (non-secured) area and secured (delivered over HTTPS) area and we use jQuery library.
Recently I suggested we use Google CDN for jQuery delivery. Some of my colleagues expressed concerns in regards to security aspect of this way of delivering JavaScript libraries.
For example, they mention the scenario where someone might hijack DNS server and then inject maliciously modified library, opening the door for different security attacks.
Now, if hacker can inject malicious code through Google CDN, then he can probably do the same if jQuery is served from the site itself, right?
It seems that google CDN supports serving libraries over SSL.
Is serving jQuery from CDN really less secure then serving it from the server itself? How serious is this threat?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
降低风险的一种方法是对从 Google 获得的文件运行校验和,并将其与您已经拥有的已知良好的校验和进行比较。
在回答有关 Google 是否以任何方式更改这些文件的问题时,Google 员工 Ben Lisbakken建议将 Google 提供的文件的 MD5 校验和与从其维护者主页获取的同一文件的规范版本进行比较。请阅读链接网站上的评论八了解上下文。
如果您担心 DNS 劫持,那么从“原始”站点获取的文件当然也会出现同样的问题。您可能也不想因为在每个请求上对 jQuery 文件运行校验和而导致速度损失——除非您非常偏执。当然,这样做会消除使用 CDN 的所有优势。
但假设您只是有点偏执,您可以尝试这样的操作:
确保您引用的是来自 Google 的 jQuery 文件的唯一且特定的版本。例如,执行以下操作:
而不是这个:
后一个版本现在可能会返回 1.4.2,但明天会返回 1.4.3。如果您同时需要 http 和 https,则可以使用协议相关 URL,如下所示:
最初为此文件生成并存储您自己的校验和。
当然,您可以通过编程来完成此操作。您决定什么间隔才有意义。每分钟?每五个?您现在已经具备了自动终止开关的条件,您可以根据自己的喜好调整其灵敏度。 “监视”例程当然不必在您希望保护的应用程序中同步运行;也许您只是出于此目的在同一服务器上运行一个小型实用程序应用程序。
测试起来很容易:只需更改存储的哈希值即可。由于您引用的是特定文件版本,因此每次次要版本更新时都不会按下紧急按钮。当您确实想要迁移到新版本的 jQuery 时,请更改站点上的 AJAX API URL 并存储新的哈希值。
One way to mitigate the risk is to run a checksum against the file obtained from Google, and compare that to a known-good checksum already in your possession.
In response to a question about whether Google alters these files in any way, Google employee Ben Lisbakken suggested comparing MD5 checksums of a file provided by Google to the canonical version of that same file as obtained from its maintainers' home site. Read comment eight on the linked site for context.
If you're concerned about DNS hijacking, then of course the same concerns would apply to the file as obtained from the "original" site. You also probably don't want to incur the speed penalty of running a checksum against the jQuery file on every request -- unless you're incredibly paranoid. And of course, doing so would remove all advantages of using a CDN.
But assuming you're only somewhat paranoid, you could try something like this:
Make sure you're referencing a unique and specific version of the jQuery file from Google. For example, do this:
and not this:
The latter version may return 1.4.2 now, but 1.4.3 tomorrow. If you have a combination of http and https needs, you can use protocol-relative URLs, like this:
Initially generate and store your own checksum for this file.
You can do this programmatically, of course. You decide what interval makes sense. Every minute? Every five? You now have the makings of an automatic kill-switch whose sensitivity you can adjust to your preference. The "monitor" routine certainly doesn't have to run synchronously within the application you're looking to secure; perhaps you run a small utility application on the same server just for this purpose.
It's easy enough to test: just alter the stored hash. Since you're referencing a specific file version, the panic button won't be pressed with every minor version update. When you do want to move to a new version of jQuery, change the AJAX API URL on your site and store the new hash.
是的。如果它是外部资源,那么它总是不太安全。如果您不拥有源代码,您如何确定您知道客户真正得到什么?如果您不熟悉 CloudBleed,您可能需要在继续之前先阅读一下。
如果出于性能原因您确实需要从外部 CDN 加载 jQuery,请确保您使用子源完整性。有关 SRI 的更多信息可以在 MDN 上找到。
最后,如果由于网站性能和单点故障的创建而导致通过 CDN 安全加载 jQuery 成为一个问题(如果您完全熟悉Steve Souders),从安全和性能的角度来看,您几乎肯定会更好地在内部移动所有脚本并使用 获取注入。请确保,如果您这样做,您正在积极地进行浏览器缓存。如果您为全球受众提供服务,请确保对这些资产进行边缘缓存。
Yes. If it's an external resource it's always less secure. How could you possibly be sure you know what your customers are really getting if you don't own the source code? And if you're not familiar with CloudBleed, you may want to read up before you continue.
If you do need to load jQuery from an external CDN for performance reasons, please ensure you're using Subsesource Integrity. More information on SRI can be located on MDN.
Lastly, if loading jQuery securely via CDN is a concern due to website performance and the creation of a Single-Point of Failure (and it should be a concern if you're at all familiar with the work of Steve Souders), you're almost certainly better off from a security and performance perspective moving all of your scripts in-house and loading them asynchronously in parallel using Fetch Injection. Just be sure, if you do, you're aggressively browser caching. And if you serve a global audience, make sure you're edge caching those assets.
正如您的同事所指出的,劫持 DNS 服务器将是一个问题。如果您从与您的站点相同的主机为库提供服务,则情况不会如此。但是,如果使用 HTTPS,攻击者不太可能在欺骗站点上拥有有效证书。我不知道浏览器对此有何反应,但我怀疑他们会将网站标记为不安全(因为其中某些部分不可信)并采取相应行动。
简而言之;如果CDN也使用HTTPS访问,应该不会有太大的风险。
编辑:还要考虑Gert G提到的隐私问题。
As your colleagues point out, hijacking a DNS server would be an issue here. It wouldn't be if you served the library from the same host as your site. However, if one uses HTTPS, it is unlikely that the attacker would have a valid certificate on the spoofed site. I do not know how browsers would react to this, but I suspect they would flag the site as unsafe (since some part of it can't be trusted) and act accordingly.
So in short; if the CDN is also accessed using HTTPS, there shouldn't be any large risks.
Edit: Also consider the privacy issue mentioned by Gert G.
如果在线存在信任,那么 Google 就是最值得信赖的……
毫无疑问,Google CDN 是安全的,但问题总是来自于用户/服务器的互联网连接质量。
顺便说一句,如果您将 jQuery 库包含在 Google API 加载器脚本中,Google 会在其 CDN 可用 JavaScript 库中添加一些小型统计跟踪代码(大约 +4kb,请参阅 Firebug),从而缩小 20kb,压缩的 jQuery 库有点重,加上预见到 SSL 速度。
不管怎样,现在缩小/压缩/缓存 jQuery 已经不是问题了,我建议你自己制作......
If trust exists online then Google is the most trustworthy...
There is no doubt that Google CDN is secure, but problems always always come from user's/server's Internet connection quality.
By the way, if you include the jQuery library with Google API loader script, Google adds some small stat tracking code to it's CDN available JavaScript libraries (about +4kb, see in Firebug) that makes 20kb minified and compressed jQuery library a bit heavy, plus foresee SSL speed.
Anyway minifying/compressing/caching jQuery isn't a problem these days, I suggest make your own...