TIP: Click on subject to list as thread! ANSI
echo: rberrypi
to: DELOPTES
from: MAYAYANA
date: 2020-08-17 08:34:00
subject: Re: Lightweight Browser
"Deloptes"  wrote

| Also to prevent the so called "injection" by 3rd party, there is SSL,
which
| makes it probably impossible to inject anything.
|

Not hardly.

http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious
-ads-spreading-crypto-ransomware/

https://www.bleepingcomputer.com/news/security/crooks-created-28-fake-ad-agenci
es-to-disguise-massive-malvertising-campaign/

  When people want script and iframes for spying and
ads, there's no way to keep it clean. A typical scenario
is that a malware spreader buys ad space, which shows
up in iframes, which allows exploiting cross-site scripting
vulnerabilities.

   Iframes and script were both being phased out before
the Web turned into ad servers with "content" stuffing.
Now both are ubiquitous. That can never be made safe.
The irony is that allowing ads to load is now one of the
riskiest activities online.

  Your description above is accurate in theory, but there
are all sorts of variations. One is that many webmasters
really don't know what's being pulled in. They copied some
code to get fancy fonts. They copied code to use jquery.
Do they know where those are coming from or whether
they're up to date? Not likely. Then there are 4th and
5th parties. A page pulls in script from 2 outside sources.
They pull in script from 5 more. It mushrooms. The original
idea with the Internet, and the design of cookies, was to
ensure privacy and security within a site. That's turned
into something more like a public bathroom in Times Square
with only 2 walls. Does the webmaster at the site you
visit know that? Not likely. They're busy trying to find
writers to produce "content" for pennies so they can
get paid. If 17 ad companies, dataminers, and general
sleazeballs being pulled in via script will provide more money
then why not? The webmaster doesn't actually understand
how that process is working, anyway.

  In the case of ad attacks, again no one's minding the store.
Someplace like AOL or NYT or TheHill (some of the sites
compromised in the past) just add code snippets to call
in Google ads. They have no further interest, except to get
paid. Google then auctions that ad space to the highest
bidder. They have no further interest except to get paid.
So someone in China or Russia buys an iframe and launches
an attack.

  This is the epidemic disease of Silicon Valley. It's the same
reason Facebook is infested with propaganda. The geeks
worship technology and regard human input as a failure of
technology. If humans have to be involved it costs much
more and runs more slowly. So it's all automated. And the
"content-producing" corporate sites are only looking at
profits.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | FidoUsenet Gateway (3:770/3)
SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.