decentraleyes icon indicating copy to clipboard operation
decentraleyes copied to clipboard

Published 20 hours ago verified publisher icon Synzvato

Add option to auto-replace vulnerable libraries

Open rezad1393 opened this issue 7 years ago • 14 comments

can the option be added that old insecure versions of libraries be replaced with newer secure ones?

I use the firefox addon 'Retire.js' and it shows a lot of websites use old insecure JavaScript libraries that have security bugs. can this addon ,by user choice of course, replace them with secure ones when website loads? or does the addon already do this?

rezad1393 avatar Aug 04 '17 17:08 rezad1393

It definitely does not do that and even if Decentraleyes would add it, it needs to be opt-in because a lot of website would break if you would just replace there libraries (one of the reasons why so many websites use old libraries).

heubergen avatar Aug 04 '17 17:08 heubergen

i did say optionally. but I am not a web developer so I thought maybe the newer versions were compatible with older ones and only fixed issues mostly. or at least compatible with the same major release of lib. like libtest.1.3.5 and libtest.1.3.6

rezad1393 avatar Aug 04 '17 17:08 rezad1393

I'm working close with web developers and I can tell you that even in bugfix releases there's things that break :(

heubergen avatar Aug 04 '17 17:08 heubergen

ok. it was just a suggestion. and thanks for the answer. P.S. thanks for the addon.

rezad1393 avatar Aug 04 '17 17:08 rezad1393

Sorry if I appear as a developer or the owner of this repo, but I'm not so you should wait for an answer from the dev

heubergen avatar Aug 04 '17 17:08 heubergen

so is this possible ? or bad for websites? because for example jquery has two versions (1 and 2 branch) that are updated separately so maybe updating jquery 1.10 to 1.11 would be possible?

I like distributed solutions more for their offline ability (growing up in third world and slow internet and all) but it seems that security is also improved this way.

if this gets implemented , consider that only compatible library versions get replaced so the websites wont break.

rezad1393 avatar Oct 08 '17 21:10 rezad1393

@rezad1393 I do think this idea is interesting enough to at least take into consideration. However, as correctly stated by @heubergen, injecting alternative versions of requested libraries will inevitably break a large number of websites. This could only ever work as an optional feature for advanced users.

Synzvato avatar Oct 09 '17 00:10 Synzvato

it was just a suggestion. thank you for the answer. maybe if you get time you can implement it.

btw some websites that have jquery and and retire.js find them but your addon doesnt spot them. how is that? this is what it wont find : jquery 1.10.2

is this url https://duckduckgo.com/ or this https://board.jdownloader.org https://board.jdownloader.org/jquery.js jqury 1.3.2

or this https://ia.media-imdb.com/images/G/01/imdb/js/collections/common-2411119445.CB514893747.js

my installed version is the web extension version. v2.0.0beta3

rezad1393 avatar Oct 09 '17 08:10 rezad1393

+1

EC-O-DE avatar Oct 14 '17 14:10 EC-O-DE

+1

I will seriously consider not interacting with websites that are putting my security at risk. So breaking vulnerable websites is fine with me.

vdcbb avatar Nov 30 '17 22:11 vdcbb

I don't think this would break that many sites. Only major revisions should cause problems, and we can give a notification to the user that the lib is replaced. Ideally we should have a map of insecure versions to oldest secure version to avoid breaking sites.

So if version 1.0 is insecure and version 1.1 patched it, we wouldn't load in version 2.0 because it's the newest, we would use 1.1 to minimize breakage while patching vulns.

AshotN avatar Jan 11 '18 07:01 AshotN

you could have per site based rules like an adblocker and a maintained preset list for the most common websites.

elypter avatar Jan 11 '18 15:01 elypter

First off, thanks everyone for your suggestions and insights. Much appreciated!

btw some websites that have jquery and and retire.js find them but your addon doesnt spot them. how is that? this is what it wont find : jquery 1.10.2

@rezad1393 Decentraleyes intercepts requests to large Content Delivery Networks. It's not interested in any known resources delivered by smaller players. I hope this explains the current approach.

Only major revisions should cause problems, and we can give a notification [...]. Ideally we should have a map of insecure versions to oldest secure version to avoid breaking sites. So if version 1.0 is insecure and version 1.1 patched it, [...] we would use 1.1 to minimize breakage [...].

@AshotN This is a good idea in theory, but when it comes to jQuery, the first non-vulnerable alternative can easily be a high number of releases apart. Here's an extensive list of vulnerable versions.

you could have per site based rules [...] and a maintained preset list for the most common websites.

@elypter In my opinion, such a ruleset would be quite hard to maintain. I think the entire feature should be optional, and I'd prefer notifications to signal replacements as suggested by @rezad1393.

Synzvato avatar Mar 10 '18 11:03 Synzvato

Optional would be fine for me too, this way the user knows if he breaks a website why and what he/she can to about that.

heubergen avatar Mar 10 '18 16:03 heubergen