[IPython-dev] Insecure loading of mathjax
Julian Taylor
jtaylor.debian at googlemail.com
Fri Aug 1 18:47:52 EDT 2014
On 02.08.2014 00:26, Thomas Kluyver wrote:
> On 1 August 2014 15:03, Julian Taylor <jtaylor.debian at googlemail.com
> <mailto:jtaylor.debian at googlemail.com>> wrote:
>
> The shared certificate is probably not a huge problem as the number of
> AltNames for the mathjax certificate is quite small, but some googling
> showed that this is indeed an attack vector:
> http://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html
>
>
> That doesn't appear to show someone actually MITMing an https server
> using the shared certificate. The concern there appears to be that
> cloudflare is letting people use its https certificates without much/any
> validation, making for more convincing phishing attacks. That wouldn't
> compromise a request to a specific, known URL.
Normally if you can do an MITM and someone redirects your request
mathjax.org to another domain the browser would give you a certificate
error as the certificate served would not be valid for the domain you
requested.
In this case if someone is able to do a MITM and controls one of the
domains that share the certificate with mathjax that person would be
able to redirect the request to mathjax.org to his domain and serve any
file. The browser would accept this as the certificate is valid for the
domain even though its a different one than the request was sent to.
Or would the browser complain about the change in any case?
But I guess this is unlikely to be feasible/worthwhile to attack ipython
users in practice.
>
> Amusingly, if predictably, it appears that these shared certificates are
> needed because of 'a lack of support for SNI in Internet Explorer on
> Windows XP'.
also amusingly amazon cloudfront which (I think) mathjax used before
rackspace and cloudfront now supports SNI since march this year:
http://aws.amazon.com/blogs/aws/server-name-indication-sni-and-http-redirection-for-amazon-cloudfront/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140802/c8b08b89/attachment.sig>
More information about the IPython-dev
mailing list