Is there away to let the owners of the greatfirewallofchina.org site know
about the possible problems and make suggestions to them on a better
solution? I'd be down for adding a banner to my site, when I finish my
site, as well. But I too think it'd be nicer to just be able to add some
picture or something, rather than linking to a third-party site and using
their javascript code.

On Sat, Jun 18, 2016 at 5:21 AM, Dan Fandrich <dan_at_coneharvesters.com>
wrote:

> On Sat, Jun 18, 2016 at 10:52:05AM +0200, Gisle Vanem via curl-library
> wrote:
> > Dan Fandrich wrote:
> >
> > > I think it's ironic that not only does this protest requires loading
> arbitrary
> > > Javascript from a third-party site, but it's served unencrypted and
> > > unauthenticated and is therefore vulnerable to active manipulation by a
> > > malicious party while in transit.
> >
> > Why is this so ironic? You're not trusting the firewall
> > status of China is accurate?
>
> The problem is that someone adding this banner opens up a massive security
> hole
> in his site the size of, oh, I don't know, the Great Wall of China maybe. A
> hole that can be trivially exploited by a malicious state actor to inject
> arbitrary Javascript code into the browser of any targeted visitor to that
> site.
>
> >>> Dan
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-06-18