[IPython-dev] Insecure loading of mathjax
Julian Taylor
jtaylor.debian at googlemail.com
Fri Aug 1 18:03:58 EDT 2014
On 01.08.2014 23:40, Paul Ivanov wrote:
> Hi Julian, Kyle, and list,
>
> I just wanted to publicly thank Kyle again for following through
> with these and ensure that they get reported and communicated in
> the right manner. None of the other other IPython developers have
> any experience with disclosing security vulnerabilities to
> appropriate channels, and Kyle has stepped up entirely in a
> volunteer capacity to do this for the benefit of the community.
>
> Thanks to you as well, Julian, for bringing that CDN certificate
> issue to our attention. We need all the help we can get, and I
> my immediate reaction to reading "...making it quite
> pointless..." was that Kyle is getting the stick instead of a
> carrot for following through and doing a better job than we would
> have done without him (your point about reporting this back in
> 0.12 is an example of our previous lack of familiarity,
> appreciation, and engagement with security related issues).
I think it is great that Kyle is communicating the issues and helping
fixing issues. I did not intend to give "the stick" with my statement I
was referring to the situation back then, where I myself could have
probably handled the situation much better.
I too do not know very much about network security and how best to
report issues, though I can possibly help out contacting the
distribution security teams if needed.
The shared certificate is probably not a huge problem as the number of
AltNames for the mathjax certificate is quite small, but some googling
showed that this is indeed an attack vector:
http://news.netcraft.com/archives/2013/10/07/phishers-using-cloudflare-for-ssl.html
But I don't know if this is relevant enough to require any more actions
from IPython.
>
> If you have the time and interest, We'd love your help on the
> security side of things (contact Kyle or me offlist), and I think
> Kyle is striving to do a much more punctual disclosure of this
> vulnerability in part because of your feedback on CVE-2014-3429.
> I just want to make sure that we continue to have productive
> interactions.
>
> my sincerest appreciation to both of you,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20140802/fbe104a5/attachment.sig>
More information about the IPython-dev
mailing list