[IPython-dev] Insecure loading of mathjax
Thomas Kluyver
takowl at gmail.com
Wed Aug 6 17:49:10 EDT 2014
My discussions with Mathjax developers led me to post a question on
security.stackexchange, and I am now satisfied that what Cloudflare is
doing with SSL certificates, although it is somewhat out of the ordinary,
does not allow someone controlling one of those sites to MITM requests to
another of them. So if we load Mathjax over HTTPS, we are only trusting
mathjax.org and Cloudflare.
https://github.com/mathjax/MathJax/issues/885
http://security.stackexchange.com/q/64738/53098
Thanks,
Thomas
On 1 August 2014 18:20, Thomas Kluyver <takowl at gmail.com> wrote:
> On 1 August 2014 15:47, Julian Taylor <jtaylor.debian at googlemail.com>
> wrote:
>
>> In this case if someone is able to do a MITM and controls one of the
>> domains that share the certificate with mathjax that person would be
>> able to redirect the request to mathjax.org to his domain and serve any
>> file. The browser would accept this as the certificate is valid for the
>> domain even though its a different one than the request was sent to.
>> Or would the browser complain about the change in any case?
>>
>
> I have opened an issue on Mathjax to work out if this is possible. It's
> probably most concerning for IPython, but if it's possible, it potentially
> affects any site loading Mathjax from the CDN.
>
> https://github.com/mathjax/MathJax/issues/885
>
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140806/3b406a38/attachment.html>
More information about the IPython-dev
mailing list