<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On 1 August 2014 15:03, Julian Taylor <span dir="ltr"><<a href="mailto:jtaylor.debian@googlemail.com" target="_blank">jtaylor.debian@googlemail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div id=":1lh" class="" style="overflow:hidden">The shared certificate is probably not a huge problem as the number of<br>


AltNames for the mathjax certificate is quite small, but some googling<br>
showed that this is indeed an attack vector:<br>
<a href="http://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html" target="_blank">http://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html</a></div></blockquote></div>

<br></div><div class="gmail_extra">That doesn't appear to show someone actually MITMing an https server using the shared certificate. The concern there appears to be that cloudflare is letting people use its https certificates without much/any validation, making for more convincing phishing attacks. That wouldn't compromise a request to a specific, known URL.<br>

<br></div><div class="gmail_extra">Amusingly, if predictably, it appears that these shared certificates are needed because of 'a lack of support for SNI in Internet Explorer on Windows XP'.<br><br></div><div class="gmail_extra">

I'll put this on the agenda for the next dev meeting.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Thomas<br></div></div>