Hacker News new | past | comments | ask | show | jobs | submit login

If this was even a remotely feasible problem with modern cryptographic hashes, DNSSEC, TLS, SSH, package management systems, most authentication systems, etc. would all be dramatically broken.

If I had this capability I wouldn't waste it on injecting javascript into web pages. I'd create forged browser upgrades and go from there.




Cache poisoning is not necessarily breaking the hash, it just means they snuck something in there somehow (e.g. social engineering techniques).


In this context it's cache poisoning that does require breaking the hash. Which is not a realistic reason to reject the concept.


...how would social engineering NOT work to distribute javascript vulnerabilities or backdoors via jquery??


Every website using jquery will have the real hash, so you can poison all the mirrors you like and it won't matter.

The only way to get the wrong hash onto sites is to actually publish it on the authoritative server. That's not cache poisoning, that's a malicious official version.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: