[IPython-dev] Insecure loading of mathjax

Thomas Kluyver takowl at gmail.com
Fri Aug 1 18:26:20 EDT 2014


On 1 August 2014 15:03, Julian Taylor <jtaylor.debian at googlemail.com> wrote:

> The shared certificate is probably not a huge problem as the number of
> AltNames for the mathjax certificate is quite small, but some googling
> showed that this is indeed an attack vector:
>
> http://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html
>

That doesn't appear to show someone actually MITMing an https server using
the shared certificate. The concern there appears to be that cloudflare is
letting people use its https certificates without much/any validation,
making for more convincing phishing attacks. That wouldn't compromise a
request to a specific, known URL.

Amusingly, if predictably, it appears that these shared certificates are
needed because of 'a lack of support for SNI in Internet Explorer on
Windows XP'.

I'll put this on the agenda for the next dev meeting.

Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/9640aec3/attachment.html>


More information about the IPython-dev mailing list