Sure I added a blog entry with a snippet of code recently and was blindly thinking it did something smart and dynamic and then realised that it was just a boring bit of html code. I obviously wasn’t really thinking.
But Google Analytics got me thinking a little more. They ask you to include a little script of theirs on your web site. In return you get some magic info about your site.
All well and good except what does that bit of javascript do? I haven’t looked at it very closely, but close enough to tell it’s not the most clearly written code in the world. What if it has a bug? Or what if one is later introduced?
This brings up an interesting twist of a possibility…a commercialisation of the cross-site scripting class of security holes. How long until somebody comes up with some sort of commercial spyware XSS? Maybe there are already things like this lurking in our web applications.
@pythomit Twitter Timeline
Tags
Categories
- Blogging (24)
- Culture (64)
- Economics (50)
- Environment (12)
- Epicurean (29)
- Home and Garden (176)
- Journal Entries (84)
- Photoblog (96)
- Politics (59)
- Privacy and security (22)
- Technology (140)
- Timbers (6)
- Uncategorized (2)
Archives
Don’t you also use Gallery or something for your photos? There could just as easily be something questionable there. Or in MT for that matter. I think it kind of just comes down to the fact the source is open, and you need to have some trust for these projects and companies.
Since I work on PHP iCalendar, I do actually see little snippets of code that are specific to a developer’s configuration, and that may also be considered something bad to have. Although not malicious, it may have unexpected side-effects. I try to make note of these or remove these whenever I see them.
The difference though is that MT is versioned and I have the copy of it. With a link in your page to somebody else’s server for including some javascript you never know and cannot control what your page viewers have run on their machine when they view your site. Maybe they have a buggy javascript included for a short while thanks to an error on the google server end or dns poisoning or other maliciousness, but that allows somebody to collect information and gain access to your server, not Google or whoever else’s.