Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

[gremlin () gremlin ru]

On 31-Jul-2014 23:23:18 -0500, Kyle Kelley wrote:

> Summary: When using the IPython notebook without encryption
> (i.e. running the server on HTTP instead of HTTPS), mathjax is
> loaded over HTTP. An attacker with fortuitous network position
> could execute code on a local IPython notebook by modifying the
> mathjax javascript.

HTTPS wouldn't help much: the attackers (most of which are known to
use 3-letter names) can (and they really do) issue a fake certificate
for their decoy servers.

In general, nothing received from the Net could be trusted. And the
HTTPS doesn't guarantee anything beyond "this certificate was signed
by this CA" - was that voluntary or forced.

Enforcing HTTPS for the whole site is even more stupid: normally only
user-specific data (login procedure, personal settings for registered
users, etc) should be forced to go through HTTPS; everything else
should normally be left up to the users' wish.

But the terminal state of mental disability is... yes, using scripts
from outer sources: intercepting one popular source like
https://ajax.googleapis.com/ajax/libs/jquery/*/jquery.min.js will
allow the attacker to not bother of intercepting other sites directly.

> This issue was fixed in the git master branch (development branch
> for upcoming v. 2.2) with commit cf793ebc4, on 7/31/2014:

Not a vulnerability, not a fix.


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net