Adblock & Noscript
...plus not giving a flying ***k about celebutards in general means I'm unlikely to have been hit.
Celeb goss and dross site TMZ has been serving the world's worst exploit kit to its 30 million monthly visitors after malvertising scum compromised its advertising chain. Readers of the site can be automatically redirected to malicious pages that serve the brutal Angler exploit kit which loads malware capable of all manner of …
"Segura says CloudFlare is investigating the use of its network by malvertisers but says the ad networks have kept mum."
And these same ad networks have the fucking face to demand we trust them and bitch about people using ad blockers?
Every one of the executives and managers working for those ad companies belongs in the bloody gulag.
"Would that be the Gulag that Max had to face in Mad Max III, "Bust a deal, face the wheel"? Or just your everyday Russian gulag?"
There's a Mad Max III? I always understood that was a non-existent myth, like the equally non-existent Highlander II...
But no, I was thinking in terms of salt mines. For the rest of their stinking, worthless lives. At least then they'd be producing something useful and it wouldn't cost a bomb to keep them safely locked up as it would putting them in chokey!
... attackers gained access through ad platform ContextWeb and Smartyads, using CloudFlare to hide infrastructure
And that is why I will continue to use NoScript on automatic block for every site I visit.
Not because I hate the Ads, but because I value my PC's integrity.
HTTP Secured and *Authenticated*
I'm not surprised that all those morons who didn't understand that a digital certificate for encryption only is dangerous when you always told people it also meant "trust" - and browser happily show green icons to tell you "everything's fine!"
Is Cloudflare serving via HTTPS with its own certificates content it doesn't know where they are from?? I would say it is culpable if it *authenticated* those malware contents with its certificates.
And we'll see more of these, because the paranoids of state snooping (not totally wrong, but still paranoid in their behaviour) are pushing for more encryption without authentication.
It's really time to separate the two. Is a link using encryption without proper endpoint(s) authentication? Show it's encrypted, but not trusted. Are endpoints properly and fully authenticated? Ok, show it's trusted.
"Are endpoints properly and fully authenticated? Ok, show it's trusted."
How do you do that? You have to trust someone. Back to square one please.
https = encrypted ("encrypted", doesn't mean well encrypted)
Not getting a giant warning/padlock/green address bar/whatever = authenticated
It's up to you which certificate authorities you trust. If you want to keep the defaults, that will work, and you'll get any old advertising network slinging crap at you. If you're 'paranoid' then you can only trust those certificate authorities your mates/employer/clients create.