[IPython-dev] Insecure loading of mathjax
Thomas Kluyver
takowl at gmail.com
Fri Aug 1 17:37:12 EDT 2014
On 1 August 2014 14:13, Julian Taylor <jtaylor.debian at googlemail.com> wrote:
> Is the mathjax cdn certificate still a shared between all users of
> whatever hosting provide is behind is?
> Back then this was the case for the https cdn mathjax used making it
> quite pointless as any users of that hosting service (I think it was
> amazon) could serve you a forged mathjax via valid https.
>
Looking at the certificate details in my browser, it looks like that is
still an issue. It doesn't look like it's shared between all users of the
hosting service - there's a list of 30 or so domains that appear to share
it. I think that means that only someone who controlled one of those
domains could do a MITM attack, so it's a lot more secure than just loading
it over http, but still not properly secure. Gah, what's the point of HTTPS
if it gets used like this...
I am very much not a security expert, so take my assessment with a large
pinch of salt.
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140801/b7738506/attachment.html>
More information about the IPython-dev
mailing list