-
Notifications
You must be signed in to change notification settings - Fork 108
Add option to auto-replace vulnerable libraries #184
Comments
It definitely does not do that and even if Decentraleyes would add it, it needs to be opt-in because a lot of website would break if you would just replace there libraries (one of the reasons why so many websites use old libraries). |
i did say optionally. |
I'm working close with web developers and I can tell you that even in bugfix releases there's things that break :( |
ok. |
Sorry if I appear as a developer or the owner of this repo, but I'm not so you should wait for an answer from the dev |
so is this possible ? or bad for websites? I like distributed solutions more for their offline ability (growing up in third world and slow internet and all) but it seems that security is also improved this way. if this gets implemented , consider that only compatible library versions get replaced so the websites wont break. |
@rezad1393 I do think this idea is interesting enough to at least take into consideration. However, as correctly stated by @heubergen, injecting alternative versions of requested libraries will inevitably break a large number of websites. This could only ever work as an optional feature for advanced users. |
it was just a suggestion. btw some websites that have jquery and and retire.js find them but your addon doesnt spot them. is this url https://duckduckgo.com/ or this https://ia.media-imdb.com/images/G/01/imdb/js/collections/common-2411119445._CB514893747_.js my installed version is the web extension version. v2.0.0beta3 |
+1 |
+1 I will seriously consider not interacting with websites that are putting my security at risk. So breaking vulnerable websites is fine with me. |
I don't think this would break that many sites. Only major revisions should cause problems, and we can give a notification to the user that the lib is replaced. Ideally we should have a map of insecure versions to oldest secure version to avoid breaking sites. So if version 1.0 is insecure and version 1.1 patched it, we wouldn't load in version 2.0 because it's the newest, we would use 1.1 to minimize breakage while patching vulns. |
you could have per site based rules like an adblocker and a maintained preset list for the most common websites. |
First off, thanks everyone for your suggestions and insights. Much appreciated!
@rezad1393 Decentraleyes intercepts requests to large Content Delivery Networks. It's not interested in any known resources delivered by smaller players. I hope this explains the current approach.
@AshotN This is a good idea in theory, but when it comes to jQuery, the first non-vulnerable alternative can easily be a high number of releases apart. Here's an extensive list of vulnerable versions.
@elypter In my opinion, such a ruleset would be quite hard to maintain. I think the entire feature should be optional, and I'd prefer notifications to signal replacements as suggested by @rezad1393. |
Optional would be fine for me too, this way the user knows if he breaks a website why and what he/she can to about that. |
can the option be added that old insecure versions of libraries be replaced with newer secure ones?
I use the firefox addon 'Retire.js' and it shows a lot of websites use old insecure JavaScript libraries that have security bugs. can this addon ,by user choice of course, replace them with secure ones when website loads?
or does the addon already do this?
The text was updated successfully, but these errors were encountered: