Questions and Answers : Wish list : SSL Certificate
Message board moderation
Author | Message |
---|---|
Send message Joined: 8 Mar 16 Posts: 2 Credit: 6,441 RAC: 0 |
Hello, I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers. It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future? There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team. The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133 |
Send message Joined: 15 May 09 Posts: 4541 Credit: 19,039,635 RAC: 18,944 |
Don't know what the programmers for CPDN will do with this so just expressing a personal opinion. I know that there has been a recent upgrade of the BOINC software for CPDN. I would be sad to see it lose crunchers as it is in my opinion one of the projects with the best record of scientific achievement. |
Send message Joined: 27 Jan 05 Posts: 74 Credit: 1,047,809 RAC: 0 |
Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
This matter has been dealt with privately. |
Send message Joined: 8 Mar 16 Posts: 2 Credit: 6,441 RAC: 0 |
We're more concerned with the login credentials of users (as in to login to your account). For instance, any user that uses BAM will have the same ID/PW for every project they're a part of. So if an attacker is able to get their credentials from one project, they'd be able to log in to all the projects the user is a part of. |
Send message Joined: 2 Apr 14 Posts: 3 Credit: 218,479 RAC: 0 |
This matter has been dealt with privately. You mean it's being dealt with privately rather than it's been dealt with? Because SSL hasn't been enabled yet: https://dev.ssllabs.com/ssltest/analyze.html?d=climateapps2.oerc.ox.ac.uk Thanks for looking into this issue for us :) Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it. If you're able to write files to within the Virtual Box image, then you should be able to use EFF's Certbot software (https://certbot.eff.org/) to easily enable SSL encryption (Grade A) for free. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
You mean it's being dealt with privately rather than it's been dealt with? No, I meant that NeuralMiner had sent me an identical message in a pm, that I'd asked the project people, and then sent NeuralMiner a pm explaining what was happening. I had intended to let it go at that, but as there appears to be a more than one person not happy with the security here, I'll post the reply for all to see. This matter is currently part of a full security review. And by full security review, I mean the whole of The University of Oxford. Until changes have been made, the only solution is to not run this project. (The News and Announcements thread mentioned above has already been replaced since by a News section on the board, with lots more changes coming soon.) |
Send message Joined: 2 Apr 14 Posts: 3 Credit: 218,479 RAC: 0 |
Hey, Can you provide an update on the full Oxford security review please? Cheers. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
No further information is available about security matters. |
Send message Joined: 31 Dec 07 Posts: 1152 Credit: 22,363,583 RAC: 5,022 |
Hey, It is not likely that they will make the results of the security review available to the public. Doing so would provide useful information to the hackers on weak points in the system. Hopefully, they will quietly plug any holes that they find. |
Send message Joined: 15 May 09 Posts: 4541 Credit: 19,039,635 RAC: 18,944 |
No further information is available about security matters. Though I notice there are very few sites I visit that have not switched from http to https. I would be surprised if the security review does not include this at some point. If and when this happens there will be no need for secrecy or an announcement as it will be visible in the address bar of browsers. |
Send message Joined: 18 Jul 13 Posts: 438 Credit: 25,745,822 RAC: 7,395 |
Hi, do we know if everything is fine now with the SSL certificate and with security in general after the update or there is still work to be done? |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
Hi Bernard The new servers and their improved security were all completed last year. We're waiting for people to report problems with the new setup. So far there's been none reported. (Just minor tweaks needed by the new version of BOINC.) |
Send message Joined: 18 Jul 13 Posts: 438 Credit: 25,745,822 RAC: 7,395 |
Hi Bernard Thanks Les, what about the option to attach to CPDN via the old non-SSL address instead the new one? I tried reattaching a month or two ago and I could not do it via SSL. Was it fixed or it is a BOINC, not a CPDN issue? |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
This was discussed, but I can't find where now. Basically, they don't want new users signing up to the new site until it's tested. |
Send message Joined: 18 Jul 13 Posts: 438 Credit: 25,745,822 RAC: 7,395 |
This was discussed, but I can't find where now. I recall the discussion, so it still under test. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
Sorry, I meant an email discussion with the project people. And the people doing the testing, are the users on this project. So far, no one has reported any problems with the new set up. |
Send message Joined: 8 Feb 08 Posts: 5 Credit: 181,202 RAC: 0 |
Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials. This is BASIC housekeeping and best-practices. You wouldn't open a shop and not put locks on the doors and respond "we'll get around to it." Secure. Your. Infrastructure. Please. The continuing excuses after MONTHS of concern are pathetic and call into question the leadership and expertise of the IT strategy and personnel of this organization. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
The project upgraded to the new SSL late last year. If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how. |
Send message Joined: 8 Feb 08 Posts: 5 Credit: 181,202 RAC: 0 |
That has nothing to do that the login page on THIS webserver(s) doesn't/don't have an SSL cert to process logins to get to your user account and other admin functions. Running a webserver in 2017 w/o an SSL cert AND accepting logins for processing of account details is a declaration of either ignorance, incompetence, or laziness. One shouldn't have to dig though forum posts looking for kludges to manually reconfing their clients because the webserver admins aren't doing their jobs. |
©2024 cpdn.org