Hacker News new | ask | show | jobs
by seaerkin 2114 days ago
I agree with the author. Is it highly unlikely, sure, but it's important to create awareness of the risks associated. At the end of the day, you are sending potentially sensitive data to a third party.

Good security posture is all about building habits and I personally don't want myself or my team being comfortable with the idea of pasting code or JSON config files into a third party system.

If any of these online tools are sending your data to the server, don't use them. You don't know what happens with your data once you send it and accidents happen even if the service has your best interests in mind.

For the ones that are client side, such as JSON-to-go. You can save the client side code locally, set a bookmark, and use your local version instead.
3 comments
dec0dedab0de 2114 days ago
* Is it highly unlikely, sure, but it's important to create awareness of the risks associated. At the end of the day, you are sending potentially sensitive data to a third party.*

I don't think it is highly unlikely. I think it is highly likely that if you make a habit of using these tools one of them will eventually be compromised. Either through a technical hack, financial pressure, purchase by an immoral entity, or a disgruntled employee somewhere along the path.

Then again if it's just for testing/learning, and the data isn't really sensitive who cares, use what's easiest. Most of the time the easiest for me is jupyter so I can test how it actually works, and when I'm finished I have working code.

link
seaerkin 2113 days ago
The likelihood of compromise depends on data being sent + chance of said service being malicious, which is why I said highly unlikely. Even if I gave you a JWT or config file, you'd still have to know how and where to use it. Sometimes this can be obvious, sometimes even if you know how, you can't access the where like if the credentials contained access to a db local to only my machine or to a server behind a firewall.
link
zzapplezz 2113 days ago
This topic is much broader than just online JSON tools. There are all kinds of converters, transformers, and linting tools available online for many languages and frameworks that you shouldn't be sending your private code to.

I disagree with the author on always running it locally for yourself. If a service is useful enough, you should set it up internally so your team has a sandbox to use it. Spread the knowledge instead of hoarding it. Compiler Explorer is an example here.

link
evanreichard 2113 days ago
I keep a copy of CyberChef [0] locally. Can do the majority of the data manipulation I need. Does JWT Decoding / Signing / Verification and JSON Validation / Pretty as well. You can experiment with insignificant data here [1].

[0] https://github.com/gchq/CyberChef

[1] https://gchq.github.io/CyberChef/

link
vongomben 2113 days ago
Wow this looks really useful
link
seaerkin 2113 days ago
Thank you
link