Blog

Major sites running unauthenticated JavaScript on their payment pages. The article title says it all. The TL;DR is this: if your payment page requests external files, this is most likely JavaScript or CSS files from CDNs, then you need to ensure that those files have not been tampered with before or during the payment process, because a malicious hacker could very easily intercept payment card details. This is precisely what happened to British Airways!

The solution is to use SubResource Integrity (SRI) which basically involves adding an "integritiy" attribute to your script or link element, like this:

<script src="https://example.com/whatever.js" integrity="sha384-eP2mZH+CLyffr1fGYsgMUWJFzVwB9mkUplpx9Y2Y3egTeRlmzD9suNR+56UHKr7v" crossorigin="anonymous"></script>

Solid

Like most people who make use of the web, you probably use some free services like Facebook, Twitter, Google Chrome, Outlook, Gmail (the list goes on... basically we're talking about a product or service provided by an oversized tech power that demands your personal data in exchange for whatever they're peddling). Free services appear great on the surface but you are essentially selling your soul to these data tyrants so they can sell on your personal details to the lowest bidder. As the inventor of the web Tim Berners-Lee (TBL) states:

the web has evolved into an engine of inequity and division; swayed by powerful forces who use it for their own agendas

It's 2018 and we find ourselves in this dire situation, largely due to greed. It's toxic. Thankfully TBL has been working on a solution, called Solid, that aims to give web users more control over how their data is used and abused:

Solid changes the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance — by giving every one of us complete control over data, personal or not, in a revolutionary way

The main idea behind Solid is:

It gives every user a choice about where data is stored, which specific people and groups can access select elements, and which apps you use. It allows you, your family and colleagues, to link and share data with anyone. It allows people to look at the same data with different apps at the same time.

So while you may still need to disclose a certain level of personal information to use the services of Facebook for example, at least you will be in control of your own data, not Facebook. You set up a profile (known as a POD) on the Solid platform and then choose what info you want to share. I like it! And like TBL I'm looking forward to welcoming in the next era of the web.

The makers of Sublime Text have launched a dedicated plug-in for the version control software Git. Called Sublime Merge, it's a Git client that seamlessly integrates with the Sublime text editor, with a particular focus on the unenviable task of merging conflicting code.

The merge tool lets you resolve conflicts by comparing code across three panes:

  1. the left pane shows your changes
  2. the right shows their changes
  3. and the centre pane is the resolved code

Alongside this nifty merge interface, we get a powerful search tool, keyboard shortcuts, command line integration and syntax highlighting. Try for free, then it costs $99 if you decide to support the producers.

Treat your passwords like your underwear

  • Never share them with anyone
  • Change them regularly
  • Keep them off your desk

Courtesy of @ml2mst