Security issues: why you shouldn’t load JavaScript via SSL from a third-party CDN?

Imagine you have an online store that offers brand new gadgets, and users provide their credit card numbers to make the purchases. You put their security and privacy on pedestal and apply SSL for all traffic and spend stacks of money have you SSL certificate to be signed by one of the most well-trusted certificate authorities. Users can be sure that they communicate with your website, not some other web-source pretending to be your company.

To create the infrastructure you use FooLib, an open source JavaScript library. It’s a great solution provided by FooCo, a giant in the sphere of Net technologies. The enterprise even offers hosted versions of FooLib on their strikingly quick content delivery network (CDN), so anyone can host their JavaScript on their servers.

Since browsers show a warning when you transfer a page with mixed HTTP and HTTPS content, you prefer serving FooLib over SSL. No one wants to put visitors off with annoying and dreadful security warnings. Good news: FooCo’s CDN works with SSL, so your visitors don’t have to look on these nagging security warnings anymore.

Now comes the bad news: you’re not totally sincere with your users, and your super-pricey SSL certificate bought from the most recommended company is almost worthless. Why so? Because now FooCo can execute any JavaScript on your website. Yes, your JavaScript is transferred securely over SSL, and browser doesn’t display any warnings, but users would also communicate with cdn.foolib.com that runs JavaScript on your website. It means that they have access to any information that users enter and read on your pages.

It’s not FooCo to blame: all in all, it’s a solid and trustworthy company that would never steal clients’ credit card numbers. They provide excellent services to the community wholeheartedly, without persecuting unfair goals. However, you still deceive your end-users. The presence of SSL certificate means the visitor is safe, and nobody else can decrypt the communications.

But when you load FooLib from FooCo’s CDN network you unintentionally invite the third party, FooCo. It has its own certificate also signed by a reliable certificate authority, but your users don’t want to share their information with anyone else – it’s should be available only for your website. By inviting FooCo to the interaction without warning visitors about it you break the contract that was implied by your site’s SSL certificate. The user is soothed by the lock icon on the URL bar, but it’s a lie.

Of course, you stay innocent till proven guilty. If the information your users provide is not compromised, no one minds that. But you’re not indemnified against the loss of data and other accidents. If your customers and users are important for you, don’t load JavaScript from the third-party CDN services, even if they support SSL certificates granted by the most well-established companies.

Come clear, security is always a compromise. You have to sacrifice some convenience for security. Some websites would like to share their customers’ private information with third party CDNs like FooCo, because it’s a more convenient option than hosting JavaScript locally. However, it’s a decision down to you.

Now imagine yourself at your user’s place and decide: would you accept the fact that your confidential information is made available to other companies without your consent? Even if it doesn’t cause harm, there’s always a minor risk of accidents.