

JQuery SSL Certificates Expire - rcconf
https://code.jquery.com/jquery-1.10.2.js

======
josho
This reminds me of a Microsoft research paper*

"It’s hard to blame users for not being interested in SSL and certificates
when (as far as we can determine) 100% of all certificate errors seen by users
are false positives."

* [http://msdn.microsoft.com/en-us/magazine/hh288087.aspx](http://msdn.microsoft.com/en-us/magazine/hh288087.aspx)

------
ihsw
Why not use Google's CDN?

[https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.m...](https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js)

~~~
danielweber
I am some kind of weird mutant because I consider having external javascript
on my website to be an embarrassment for anything bigger than a hobby project
-- but 99% of the universe behaves otherwise.

~~~
UnoriginalGuy
That's because the other 99% understands how browser caching works. If you use
JQuery.com, Google, or Microsoft's CDNs then MOST of the time users won't have
to download a JQuery/Boostrap/etc library as the browser would already have an
unexpired cache of it.

For example, the OP's link's cache will expire (theoretically) in the year
2079. So if a user visited ANY page that utilises JQuery v1.10.2 they already
have it. That is a HUGE win. It is an even huger win for mobile (e.g. for
small sites you could cut your network traffic in half, which in turn
increases loading speed).

It is also trivial to set it up so the page tries the CDN first and if that
fails then grab a local copy e.g.

<script src="//code.jquery.com/jquery-1.10.2.js"></script>
<script>window.jQuery || document.write('<script
src="lib/jquery-1.10.2.js">\x3C/script>')</script>

~~~
dm2
Would just using another CDN be just as safe?

~~~
UnoriginalGuy
No, no particular reasons. It is just the safest fallback. Presumably if a
user is even able to run that script (since you yourself are hosting it) the
library would also be available (i.e. either both are down or neither).

------
0x0
Would the standard local js fallback pattern solve this?

<script>window.jQuery || document.write('<script
src="js/jquery-2.0.0.min.js">\x3C/script>')</script>

~~~
gprasanth
Indeed! it's shipped as standard in html5 boilerplate code
[https://github.com/h5bp/html5-boilerplate/blob/c3a72ff882104...](https://github.com/h5bp/html5-boilerplate/blob/c3a72ff882104a1abc6ed05f5ca3eabb11c08a51/index.html#L25)

------
rcconf
This brought down our website. Lesson learned, host your own JavaScript.

~~~
dtech
Or use a CDN you have more trust in, like Google's.

------
dtech
Wow, how can a prominent internet library that advises its users to use this
server make such an avoidable rookie mistake...

~~~
nobodysfool
Well, because chances are they gave the job of renewing the certificates to
the rookie, and he may not have known how to do it, or raised the issue
multiple times and nobody knew the implications of it. I know the last place I
worked at, I mentioned that the certificates were expiring, and I needed to
pay to renew them, yet they didn't seem to care until our customers couldn't
connect anymore.

------
dm2
CloudFlare CDN:
[http://cdnjs.com/libraries/jquery](http://cdnjs.com/libraries/jquery)

I use to use the Google CDN but cdnjs.com has a huge amount of javascript
libraries hosted on it and it is usually updated faster.

------
html5web
Why you guys talking about minuses of jQuery? Donate some bucks to jQuery
creators instead.

------
Justanothernate
Here's a post on stack overflow from July 30, 2012. Looks like the same thing
happened 2 years ago. Not sure why they renewed it for only 1 year again
considering it's expired twice in 2 years.

[http://stackoverflow.com/questions/11726451/ajax-call-to-
res...](http://stackoverflow.com/questions/11726451/ajax-call-to-rest-api-in-
jquery-no-longer-works-caused-by-expired-ssl-certifica)

------
Zikes
Are there any proposals for a local CDN-like caching system capable of
handling these sorts of "universal resources"?

I understand the difficulties would be many (trusted sources, versioning,
etc.) but I bet it would have a huge impact on the overall web's bandwidth
consumption if a page could say "load standard jQuery v1.10.2 on this page, if
not cached find it here or here".

------
hayksaakian
Is there a public acknowledgement of the problem?

~~~
yuhong
[https://twitter.com/jquery/status/494922194351181824](https://twitter.com/jquery/status/494922194351181824)

------
getdavidhiggins
[http://code.jque.re/](http://code.jque.re/)

------
abimaelmartell
Any "big" website is broken because of this?

~~~
slouch
eBay was down earlier, but I have no idea if this was the reason.

------
edftw
just took down our site - can't sign up users

------
peterwwillis
Good news! They renewed the certificate...... For one year.

 _facepalm_

------
BradRuderman
please fix asap!

~~~
Zergy
Wouldn't this be solved by hosting it on your own site?

~~~
mhogomchungu
I assume that will work,but it will introduce two problems.

1\. Keep a local copy means you will be the one paying for the bandwidth to
serve it.

2\. You will have to manually update your local copy everytime upstream makes
improvements.

Having things locally increases reliability but it carries its own costs.

~~~
kcbanner
How is getting upstream "improvements" without having a chance to test them a
good thing?

~~~
danielweber
"Users want and demand a rich computing experience."[1]

[1]
[http://catless.ncl.ac.uk/Risks/18.85.html#subj6](http://catless.ncl.ac.uk/Risks/18.85.html#subj6)

