Mirki, dziś #unknownews dodał ciekawy wpis. czy byłby ktoś mi wytłumac... (@JoannitaPL)

Mirki, dziś #unknownews dodał ciekawy wpis. czy byłby ktoś mi wytłumaczyć ze zrozumieniem informacje z linku poniżej?

https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/

Szczególnie ten fragment:

"

This is not a particularly new attack and we've known for a long time that CDNs or other hosted assets are a prime target to compromise a single target and then infect potentially many thousands of websites. The thing is though, there's a pretty easy way to defend yourself against this attack. Let's take the ICO as an example, they load the affected file like this:

That's a pretty standard way to load a JS file and the browser will go and fetch that file and include it in the page, along with the crypto miner... Want to know how you can easily stop this attack?

That's it. With that tiny change to how the script is loaded, this attack would have been completely neutralised. What I've done here is add the SRI Integrity Attribute and that allows the browser to determine if the file has been modified, which allows it to reject the file. You can easily generate the appropriate script tags using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page. To take this one step further and ensure absolute protection, you can use Content Security Policy and the require-sri-for directive to make sure that no script is allowed to load on the page without an SRI integrity attribute. In short, this could have been totally avoided by all of those involved even though the file was modified by hackers. On top of all of that, you could be alerted to events like this happening on your site via CSP Reporting which is literally the reason I founded Report URI. I guess, all in all, we really shouldn't be seeing events like this happen on this scale to such prominent sites."

Chodzi o dodanie atrubutu SRI wraz z obliczonym hashem pliku(który jest na naszej stronie a źródło jest na innej?) Chodzi mi o to jak to wytłumaczyć paru osobom nie technicznym i w zrozumiały sposób webdeveloperom. Dzięki :D

#webdev #webmastering #informatyka

AnonimowaZmiana

13.02.2018, 21:24:12

Chodzi mi o to jak to wytłumaczyć paru osobom nie technicznym i w zrozumiały sposób webdeveloperom.

@JoannitaPL: to jakby tłumaczyć matematykę obiektową humanistom :D

Jest sporo problemów, np. z innej strony w ramce może wyciąć z dokumentu DOM dany JS i podstawić własny, który będzie się cashował, co gorsze przez shashowany URL z innej domeny itp.
Zaciemniacze itp. powodują, że trudniej się weyfikuje kod .js lub antywiry nie wykrywają ataków lub