Microsoft's Ajax CDN tumbles worldwide

If anyone still needs convincing these CDN'd JS lib are a bad design pattern, check out this presentation from 2012's Black Hat (and also DEFCON) on MITM attacks on them that persist after the user has been exposed (due to indefinite caching of poisoned JS files).<p><a href="http://media.blackhat.com/bh-us-12/Briefings/Alonso/BH_US_12_Alonso_Owning_Bad_Guys_WP.pdf" rel="nofollow">http://media.blackhat.com/bh-us-12/Briefings/Alonso/BH_US_12...</a>, or <a href="https://www.youtube.com/watch?v=ZCNZJ_7f0Hk" rel="nofollow">https://www.youtube.com/watch?v=ZCNZJ_7f0Hk</a> (quite entertaining presentation)<p><i>the tl:dr is users browse a short time via an anonymous proxy (c'mon, many do), the proxy MITM's these CDN's JS lib requests and serves up poisoned versions that work but also check a mothership server to load in further poisoned + persistently cached JS files for popular websites (banking, facebook, etc). User then ends their proxy session but future visits (even direct, not via proxy) to sites loads in the now cached poisoned JS libs. Phishing, credential theft, clipboard theft, etc is all now possible</i>

This is why I use yepnope [0].<p>"yepnope.js has the capability to do resource fallbacks and still download dependent scripts in parallel with the first."<p>[0] <a href="http://yepnopejs.com/" rel="nofollow">http://yepnopejs.com/</a>

Well I've added CDN failure contingency to my todo list for the site I'm currently running. The lack of communication from Microsoft is annoying, even a tweet acknowledging the issue would be something.

It looks like the CDN still works from Australia but is down almost everywhere else

More generally, I have never understood why people use these third party CDNs for important sites. Don't get me wrong, I understand the bullet points that the Microsoft's and Google's trot out: User more likely to have it cached, more simultaneously open connections since it's a different domain, perhaps less latency etc.<p>But the simple fact of the matter is if the CDN goes down, your site essentially goes down. Everything else might be up and working great, but how well will the UI function if the user can't pull in jQuery? I just don't see any value in taking a dependency on these third parties for hosting JS libs and the like.