Using CDNs in DoD and Enterprise Environments

Installation instructions for the most common JavaScript libraries include links to CDNs. Given the copy-and-paste behavior of (in-) experienced developers, while pasting in a CDN reference, they may unintentionally introduce attack vectors to websites for their organizations. Cloudflare, a large CDN provider, says that their CDN provides:

  • Ultra-fast static and dynamic content delivery
  • Increased agility and control over how content is cached
  • Built-in unmetered DDoS protection

In reality, what CDNs give developers is convenience. It is very simple to add a script tag to a page and get the desired effects.

What are the drawbacks?

1. Broadcasting usage (Confidentiality)

Depending on the sensitivity of your work, you may not want to broadcast your domains to commercial providers.

2. Control of the source (Integrity)

If the CDN was compromised, an attacker could gain access to your browser... possibly gaining information and/or credentials to the domain you happen to be on. Making this happen may be difficult, but not impossible. Hacked accounts for both library and CDN maintainers could compromise the library.

3. Loss of access (Availibility)

The management of enterprise networks requires a lot of hands. If you've been an end user on such a network, you'll know that things break sometimes. Enterprises implementing proxies to filter traffic notoriously block CDNs. Is this intentional? Unlikely, but fixing such issues can take an insane amount of time. (Lack of manning and slow governance are usually culpable here.) As such, your "reliable" reference has become a point of failure.

What to do?

Modern browsers like Chrome offer features that help mitigate the first two items, but the unfortunate reality is that there is still a significant usage of Internet Explorer.

In Enterprise/Government networks, avoid using CDN references. Store necessary files locally on the server. You may want to consider setting up your own host for files, but this adds complexity (one of the things that CDN scripts help avoid).

You may also like

  • Stop adding complexity

    Technology cannot solve a management problem.

    Read More >
  • Making Late Projects¬†Later

    Some time ago we contracted a vendor to develop a small application for us. After multiple setbacks throughout the project, I received a phone call.

    Read More >
  • Software Requirements

    The term "requirements" gets thrown around without a shared understanding of what is meant. In software, developers usually understand the term to mean "wants". Customers, on the other hand, usually understand the term to mean "needs". This leads to unmet expectations on both sides.

    Read More >