[aquark]

Technically how should he know jquery.com is more trusted than jquery.it?

jquery.com does NOT appear to have a fully valid SSL certificate: Chrome gives me "the site's security certificate is not trusted!"

Like it or not, Google is an important part of establishing reputation -- that's what pagerank was built on initially and if that becomes worthless then finding the true source of something becomes very difficult.

[patio11]

jquery.com does NOT appear to have a fully valid SSL certificate

Hypothetically supposing that jquery.com had a lovely little green lock, that wouldn't matter, because on jquery.it a) you wouldn't be looking for the lovely green lock and b) if you did look for it, look here, a lovely little green lock and c) you didn't click the lovely green lock to see who it was issued to but if you did d) it was issued to jquery.it, which matches the address in your bar.

SSL solves one problem, really really nicely: it makes it impossible to eavesdrop between the user and a trusted endpoint. It does basically nothing to make sure that the trusted endpoint is the one the user thinks they are interacting with.

[aquark]

True -- the green lock itself wouldn't help here. I was thinking more along the lines of code signing certificates.

When I visited by bank's web site and drill into the certificate details I can at least establish that someone my browser vendors trusts (or someone they trust ...) issued the certificate to an _organization_ called 'Bank of Nova Scotia' in Toronto, not just the domain name.

If I was able to register micr0soft.com then hopefully I would have a hard time getting an SSL certificate issued for it. I know there have been a number of discussions on certificate infrastructure here that show how complex this can become.

[chrisjsmith]

SLL certificates bring nothing other than a false peace if mind. I've seen fake antivirus software that goes to great lengths to provide verified (!) SSL encrypted pages to steal your credit card details.

[tptacek]

Well, that, and actually allowing SSL sessions to be encrypted without being trivially susceptible to MITM attacks.

[premchai21]

Which fake software is this? If it's already taken control of the client side, too, couldn't it just be altering the root certificate set rather than exploiting some weakness of the union of all of the existing roots (which no doubt have many such weaknesses regardless)?

[chrisjsmith]

"Vista Security 2012". It can't touch the root certs as you need elevated privileges to do that. The entire thing hijacks the user's shell via the registry. You can log in as another user on the machine and it appears not to be infected.

Quite well designed really :-)

[kaerast]

Find the Github account with the most forks and followers. That's probably the official repository and will link to the official website. They may not use Github of course, but there are other similar methods.

Other good signs are them being linked to from cdnjs, cached-commons or microjs. If I'm looking to solve a javascript itch I'll first browse these sites to see if there is a popular tool.

Also, if you're looking for jQuery then it's because you've read about it online somewhere. Simply go back and follow the links.

[VMG]

Well, in this specific case, the header comment in http://code.jquery.it/jquery-1.6.2.js still references jquery.com

[brown9-2]

This is an interesting point - why does jquery.com have a https version in the first place? And why did someone bother to set it up with a self-signed certificate?

Sounds like perhaps someone was testing something long back (cert was signed in 2009) and just never turned it off.

[ldar15]

This is a great question for new users of jQuery, or indeed any software I need to download and integrate with my software/website. When a user is hit with malware, it affects just them (and maybe their email/facebook friends). If I download malware and incorporate it into my software, then I'm now distributing it to my users!

So how I do it is I look for the community. github is a good place to look. HN is itself a good source of vetting. Google, certainly, but not the first link I find. In fact, when I first heard about jQuery, I didn't assume that the "real" site could be trusted either: if I'm going to install this on my site, and serve it to people who trust me, then it had better be trustworthy.

Now imagine I run a tutorial website, and people come to my site because they trust me, and then they install software they copied from me (or my links), and distribute that to their users. Wow. Kudos to the author: I think it was bad form to blame google here, but the fact that he admitted it all does a lot to reestablish trust.

[Encosia]

Just to be clear, I didn't distribute the janky copy of jQuery to anyone myself. I test my samples pretty thoroughly before publishing, and definitely would have caught something like this.

The situation here was that someone was using one of my samples from the jQuery 1.2 era and wanted to see if it would work with 1.6.2. He downloaded the ".it" copy of jQuery to test it with, got the syntax error when he used it in my sample, thought it was because my code didn't work right with 1.6.2, and got in touch with me about it. That's about where the post picks up at, when I rushed to grab a copy of 1.6.2 via Google and made the mistake of downloading the ".it" copy without noticing.

[ldar15]

Sorry, I didnt meant to suggest that actually happened in the last paragraph but it does read that way on review. My apologies.

[Encosia]

No worries. I just wanted to make sure you (or others) didn't think I was that careless.