Hacker News new | past | comments | ask | show | jobs | submit login

Cache poisoning is not necessarily breaking the hash, it just means they snuck something in there somehow (e.g. social engineering techniques).



In this context it's cache poisoning that does require breaking the hash. Which is not a realistic reason to reject the concept.


...how would social engineering NOT work to distribute javascript vulnerabilities or backdoors via jquery??


Every website using jquery will have the real hash, so you can poison all the mirrors you like and it won't matter.

The only way to get the wrong hash onto sites is to actually publish it on the authoritative server. That's not cache poisoning, that's a malicious official version.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: