[IPython-dev] Insecure loading of mathjax

Thomas Kluyver takowl at gmail.com
Fri Aug 1 17:37:12 EDT 2014

On 1 August 2014 14:13, Julian Taylor <jtaylor.debian at googlemail.com> wrote:

> Is the mathjax cdn certificate still a shared between all users of
> whatever hosting provide is behind is?
> Back then this was the case for the https cdn mathjax used making it
> quite pointless as any users of that hosting service (I think it was
> amazon) could serve you a forged mathjax via valid https.

Looking at the certificate details in my browser, it looks like that is
still an issue. It doesn't look like it's shared between all users of the
hosting service - there's a list of 30 or so domains that appear to share
it. I think that means that only someone who controlled one of those
domains could do a MITM attack, so it's a lot more secure than just loading
it over http, but still not properly secure. Gah, what's the point of HTTPS
if it gets used like this...

I am very much not a security expert, so take my assessment with a large
pinch of salt.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/b7738506/attachment.html>

More information about the IPython-dev mailing list