Important - Highcharts Licensing

[broadstairs]

now. I'd like to use a package that doesn't require a CDN/external URL source to run correctly and is under MIT or Apache license (free).

I do not see why a non-CDN would have preference? Contrary: my version selector for Highcharts is based on the CDN possibility.

Hans as Ken explained earlier if you have to load code from a website outside of your own server you expose a potential security issue where that site could be compromised without your knowledge and load code exposing the end user to viruses etc, this is not just a theory it has happened in the past and probably will in future. From a security point of view having the code loaded from your own server only significantly reduces this exposure. This is why a non-CDN option is much more preferable.

Stuart

[HansR]

Hans as Ken explained earlier if you have to load code from a website outside of your own server you expose a potential security issue where that site could be compromised without your knowledge and load code exposing the end user to viruses etc, this is not just a theory it has happened in the past and probably will in future. From a security point of view having the code loaded from your own server only significantly reduces this exposure. This is why a non-CDN option is much more preferable.

Yes, I read it and I understand it.

On the other hand: we may assume users take the highest precautions themselves (even Ray is now on https ) and we may assume CDN providers do the best they can to prevent malicious attacks. As long as everybody does his/her thing, we may take the risk to be small. If you want no risk at all then don't get on the internet. I will make use of all possibilities of the modern internet and will do anything to prevent being attacked (there are many weather sites which are being flagged by my security system, I whitelist those which is a risk as I do not know if they really are safe).

My point is: we should not be afraid of progress in technology, but we should make sure everything is done to prevent malice.

So in summary: I think Ken is right but I also think: Don't throw the baby out with the bathwater.

[And now I'm offline again, the new modem comes today so with some luck I'll be online again tonight.]

[saratogaWX]

@HansR, I'm not trying to avoid technological progress, just trying to minimize the 'attack surface' of a hobbyist's website.

Recently, there have been multiple 'supply chain' attacks where miscreants have infiltrated backdoors/other malware via open-sourced software via CDN distributions. Some have been massive and taken many folks to reverse and expunge the added malware (and clean up from website compromises).

Before I retired in 2004, I'd held a CISSP (security certificate) and specialized in 'Defense against the Dark Arts' at a major Semiconductor company. I still follow the security newsfeeds and see these CDN compromise issues at least once a month. That's another reason to have a local, known copy hosted on your own website -- just eliminates one additional point of entry to compromise of your website.

[HansR]

@SaratogaWX:
I think we differ in how far and with what angle we need to approach this type of problems.

There are many security issues and nobody can close all holes. The naked fact that an amateur has a site is enough to conclude there is a risk. I don't believe CDN poses special or enlarged risks. If that were the case they would already long have been banned or avoided and that is not the case.

But this thread is not about yes or no using CDN but on the Highcharts issue. So let's focus there and in the final choice we may meet again. Or I just deviate in the implementation. I won't turn this in a heated yes/no debate.

I heard your point.

[broadstairs]

I understand your point Hans but I'm afraid I agree with Ken, I will not allow in future any code on my website which uses scripts which need to be from a 3rd party website. Better safe than sorry, I have already removed all CMX code from my site which does this and I'm even less happy that the dashboard does this so for now it stays but I really hope the accepted solution has no 3rd part involved, or at least it gives me an option to turn it off on the dashboard.

Sorry if this is in your view extreme but after 40 years professionally in IT I am only too well aware of what can happen.

Stuart

[HansR]

@Broadstairs:
I understand all angles in any security issue and everybody must do what he/she thinks best.
But don't come with 40 years of experience: it's the same for me with a somewhat lighter view of things. My bad I guess.

Years ago when installing a central heating system in my house, I asked the company which delivered the system about saving gas (isolation etc...) apparently I wanted too much and he reacted: if you really want to save gas, turn it off.

[ConligWX]

if we're voting.... then I'd go for the non-cdn version also

[Mapantz]

Trusted CDN providers have exceptional levels of security.

I have no issue with using them and they can speed up website load times for users in other parts of the world.

[rogerthn]

Trusted CDN providers have exceptional levels of security.

This might be, but The XZ Utils Backdoor?