climateprediction.net home page
SSL Certificate

SSL Certificate

Questions and Answers : Wish list : SSL Certificate
Message board moderation

To post messages, you must log in.

1 · 2 · Next

AuthorMessage
NeuralMiner

Send message
Joined: 8 Mar 16
Posts: 2
Credit: 6,441
RAC: 0
Message 54600 - Posted: 1 Aug 2016, 22:53:52 UTC

Hello,

I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers.
It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future?

There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team.

The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133
ID: 54600 · Report as offensive     Reply Quote
Profile Dave Jackson
Volunteer moderator

Send message
Joined: 15 May 09
Posts: 4529
Credit: 18,661,594
RAC: 14,529
Message 54604 - Posted: 2 Aug 2016, 11:10:14 UTC - in response to Message 54600.  

Don't know what the programmers for CPDN will do with this so just expressing a personal opinion. I know that there has been a recent upgrade of the BOINC software for CPDN. I would be sad to see it lose crunchers as it is in my opinion one of the projects with the best record of scientific achievement.
ID: 54604 · Report as offensive     Reply Quote
John Eric Hopkinson

Send message
Joined: 27 Jan 05
Posts: 74
Credit: 1,047,809
RAC: 0
Message 54605 - Posted: 2 Aug 2016, 12:00:45 UTC - in response to Message 54600.  

Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it.
ID: 54605 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 54608 - Posted: 3 Aug 2016, 15:31:30 UTC

This matter has been dealt with privately.

ID: 54608 · Report as offensive     Reply Quote
NeuralMiner

Send message
Joined: 8 Mar 16
Posts: 2
Credit: 6,441
RAC: 0
Message 54639 - Posted: 15 Aug 2016, 18:07:16 UTC - in response to Message 54604.  

We're more concerned with the login credentials of users (as in to login to your account). For instance, any user that uses BAM will have the same ID/PW for every project they're a part of. So if an attacker is able to get their credentials from one project, they'd be able to log in to all the projects the user is a part of.
ID: 54639 · Report as offensive     Reply Quote
old_user715369

Send message
Joined: 2 Apr 14
Posts: 3
Credit: 218,479
RAC: 0
Message 54641 - Posted: 15 Aug 2016, 19:20:34 UTC - in response to Message 54608.  
Last modified: 15 Aug 2016, 19:21:51 UTC

This matter has been dealt with privately.

You mean it's being dealt with privately rather than it's been dealt with?

Because SSL hasn't been enabled yet: https://dev.ssllabs.com/ssltest/analyze.html?d=climateapps2.oerc.ox.ac.uk

Thanks for looking into this issue for us :)

Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it.

If you're able to write files to within the Virtual Box image, then you should be able to use EFF's Certbot software (https://certbot.eff.org/) to easily enable SSL encryption (Grade A) for free.
ID: 54641 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 54642 - Posted: 15 Aug 2016, 21:20:32 UTC - in response to Message 54641.  

You mean it's being dealt with privately rather than it's been dealt with?

No, I meant that NeuralMiner had sent me an identical message in a pm, that I'd asked the project people, and then sent NeuralMiner a pm explaining what was happening.
I had intended to let it go at that, but as there appears to be a more than one person not happy with the security here, I'll post the reply for all to see.
This matter is currently part of a full security review.
There's no time line for it's completion, so I can't provide further information.
As usual, an announcement will most likely be made in our News and Announcements thread.


And by full security review, I mean the whole of The University of Oxford.

Until changes have been made, the only solution is to not run this project.

(The News and Announcements thread mentioned above has already been replaced since by a News section on the board, with lots more changes coming soon.)

ID: 54642 · Report as offensive     Reply Quote
old_user715369

Send message
Joined: 2 Apr 14
Posts: 3
Credit: 218,479
RAC: 0
Message 54738 - Posted: 2 Sep 2016, 10:29:06 UTC

Hey,

Can you provide an update on the full Oxford security review please?

Cheers.
ID: 54738 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 54743 - Posted: 3 Sep 2016, 6:54:46 UTC - in response to Message 54738.  

No further information is available about security matters.

ID: 54743 · Report as offensive     Reply Quote
Profile JIM

Send message
Joined: 31 Dec 07
Posts: 1152
Credit: 22,363,583
RAC: 5,022
Message 54745 - Posted: 3 Sep 2016, 13:54:04 UTC - in response to Message 54738.  

Hey,

Can you provide an update on the full Oxford security review please?

Cheers.


It is not likely that they will make the results of the security review available to the public. Doing so would provide useful information to the hackers on weak points in the system. Hopefully, they will quietly plug any holes that they find.
ID: 54745 · Report as offensive     Reply Quote
Profile Dave Jackson
Volunteer moderator

Send message
Joined: 15 May 09
Posts: 4529
Credit: 18,661,594
RAC: 14,529
Message 54754 - Posted: 6 Sep 2016, 10:41:25 UTC - in response to Message 54745.  

No further information is available about security matters.


Though I notice there are very few sites I visit that have not switched from http to https. I would be surprised if the security review does not include this at some point. If and when this happens there will be no need for secrecy or an announcement as it will be visible in the address bar of browsers.
ID: 54754 · Report as offensive     Reply Quote
bernard_ivo

Send message
Joined: 18 Jul 13
Posts: 438
Credit: 25,568,323
RAC: 3,736
Message 55865 - Posted: 6 Mar 2017, 15:21:51 UTC

Hi, do we know if everything is fine now with the SSL certificate and with security in general after the update or there is still work to be done?
ID: 55865 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55869 - Posted: 6 Mar 2017, 21:16:43 UTC - in response to Message 55865.  

Hi Bernard

The new servers and their improved security were all completed last year.
We're waiting for people to report problems with the new setup. So far there's been none reported. (Just minor tweaks needed by the new version of BOINC.)
ID: 55869 · Report as offensive     Reply Quote
bernard_ivo

Send message
Joined: 18 Jul 13
Posts: 438
Credit: 25,568,323
RAC: 3,736
Message 55872 - Posted: 7 Mar 2017, 7:44:55 UTC - in response to Message 55869.  

Hi Bernard

The new servers and their improved security were all completed last year.
We're waiting for people to report problems with the new setup. So far there's been none reported. (Just minor tweaks needed by the new version of BOINC.)

Thanks Les, what about the option to attach to CPDN via the old non-SSL address instead the new one? I tried reattaching a month or two ago and I could not do it via SSL. Was it fixed or it is a BOINC, not a CPDN issue?
ID: 55872 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55877 - Posted: 7 Mar 2017, 21:40:20 UTC

This was discussed, but I can't find where now.
Basically, they don't want new users signing up to the new site until it's tested.
ID: 55877 · Report as offensive     Reply Quote
bernard_ivo

Send message
Joined: 18 Jul 13
Posts: 438
Credit: 25,568,323
RAC: 3,736
Message 55882 - Posted: 9 Mar 2017, 19:13:43 UTC - in response to Message 55877.  

This was discussed, but I can't find where now.
Basically, they don't want new users signing up to the new site until it's tested.

I recall the discussion, so it still under test.
ID: 55882 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55883 - Posted: 9 Mar 2017, 20:02:23 UTC - in response to Message 55882.  

Sorry, I meant an email discussion with the project people.
And the people doing the testing, are the users on this project.
So far, no one has reported any problems with the new set up.
ID: 55883 · Report as offensive     Reply Quote
LohPhat

Send message
Joined: 8 Feb 08
Posts: 5
Credit: 181,202
RAC: 0
Message 55888 - Posted: 12 Mar 2017, 21:42:39 UTC

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.

This is BASIC housekeeping and best-practices.

You wouldn't open a shop and not put locks on the doors and respond "we'll get around to it."

Secure. Your. Infrastructure. Please.

The continuing excuses after MONTHS of concern are pathetic and call into question the leadership and expertise of the IT strategy and personnel of this organization.
ID: 55888 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55889 - Posted: 13 Mar 2017, 3:16:47 UTC - in response to Message 55888.  

The project upgraded to the new SSL late last year.

If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how.
ID: 55889 · Report as offensive     Reply Quote
LohPhat

Send message
Joined: 8 Feb 08
Posts: 5
Credit: 181,202
RAC: 0
Message 55891 - Posted: 13 Mar 2017, 5:46:09 UTC - in response to Message 55889.  
Last modified: 13 Mar 2017, 5:48:13 UTC

That has nothing to do that the login page on THIS webserver(s) doesn't/don't have an SSL cert to process logins to get to your user account and other admin functions.

Running a webserver in 2017 w/o an SSL cert AND accepting logins for processing of account details is a declaration of either ignorance, incompetence, or laziness.

One shouldn't have to dig though forum posts looking for kludges to manually reconfing their clients because the webserver admins aren't doing their jobs.
ID: 55891 · Report as offensive     Reply Quote
1 · 2 · Next

Questions and Answers : Wish list : SSL Certificate

©2024 cpdn.org