+ extra long text;
To date, the strongest technologies that can be deployed to protect against these attacks are insufficient. Some technologies are on the right path – SubResourceIntegrity (SRI) promises to help organizations manage the risk of including 3rd party JavaScript includes – or those from load balancers. Googles’ Caja project is showing some promise in producing the security assurances that a verification scheme would rely on. These are showing some promise – but the industry has yet to comprehensively focus on verifiable build-of-materials protocols for code delivered to web-browsers. We could enable the types of applications that depend on client-integrity, for example, the use of End to End Encrypted Chat is only secure from these attacks if a specific version of a web-application can be identified, verified and tested by trusted experts, and only that version allowed to execute.
Thank you for sharing this post. In this post, i learned about preventing browser Hijacking. You can prevent your sites by hijacking to following some tips like: Update Your OS and Your browser Software, Use Your Antivirus Software's "Realtime Protection" Feature etc.
How many websites do you know that have implemented Subresource Integrity or CSP? These technologies are a pain in the ass and don't provide enough benefit to be worth it.
If you're interested in pursuing something like this I think you really need to find a problem that is big and important enough for your average developer to agree that the cost is worth it. Being able to use insecure networks safely turned out to be important enough that we're making strides to TLS, though with a lot of struggle, what problem is as important as that for people to start thinking of doing this much work? And is there any way to scope it down to be less work?
Maybe you could convince people that we need to sign ads so that it's not so trivial to deploy exploit kits inside ads, but we're largely solving that by making exploits more expensive, rather than solving ad integrity, so the gain on this is smaller than it would have been a decade ago.