Hello,

I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers.
It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future?

There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team.

The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133

Don't know what the programmers for CPDN will do with this so just expressing a personal opinion. I know that there has been a recent upgrade of the BOINC software for CPDN. I would be sad to see it lose crunchers as it is in my opinion one of the projects with the best record of scientific achievement.

Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it.

---

This matter has been dealt with privately.

We're more concerned with the login credentials of users (as in to login to your account). For instance, any user that uses BAM will have the same ID/PW for every project they're a part of. So if an attacker is able to get their credentials from one project, they'd be able to log in to all the projects the user is a part of.

This matter has been dealt with privately.

You mean it's being dealt with privately rather than it's been dealt with?

Because SSL hasn't been enabled yet: https://dev.ssllabs.com/ssltest/analyze.html?d=climateapps2.oerc.ox.ac.uk

Thanks for looking into this issue for us :)

Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it.

If you're able to write files to within the Virtual Box image, then you should be able to use EFF's Certbot software (https://certbot.eff.org/) to easily enable SSL encryption (Grade A) for free.

You mean it's being dealt with privately rather than it's been dealt with?

No, I meant that NeuralMiner had sent me an identical message in a pm, that I'd asked the project people, and then sent NeuralMiner a pm explaining what was happening.
I had intended to let it go at that, but as there appears to be a more than one person not happy with the security here, I'll post the reply for all to see.

This matter is currently part of a full security review.
There's no time line for it's completion, so I can't provide further information.
As usual, an announcement will most likely be made in our News and Announcements thread.

And by full security review, I mean the whole of The University of Oxford.

Until changes have been made, the only solution is to not run this project.

(The News and Announcements thread mentioned above has already been replaced since by a News section on the board, with lots more changes coming soon.)

Hey,

Can you provide an update on the full Oxford security review please?

Cheers.

No further information is available about security matters.

Hey,

Can you provide an update on the full Oxford security review please?

Cheers.

It is not likely that they will make the results of the security review available to the public. Doing so would provide useful information to the hackers on weak points in the system. Hopefully, they will quietly plug any holes that they find.

---

No further information is available about security matters.

Though I notice there are very few sites I visit that have not switched from http to https. I would be surprised if the security review does not include this at some point. If and when this happens there will be no need for secrecy or an announcement as it will be visible in the address bar of browsers.

Hi, do we know if everything is fine now with the SSL certificate and with security in general after the update or there is still work to be done?

Hi Bernard

The new servers and their improved security were all completed last year.
We're waiting for people to report problems with the new setup. So far there's been none reported. (Just minor tweaks needed by the new version of BOINC.)

Hi Bernard

The new servers and their improved security were all completed last year.
We're waiting for people to report problems with the new setup. So far there's been none reported. (Just minor tweaks needed by the new version of BOINC.)

Thanks Les, what about the option to attach to CPDN via the old non-SSL address instead the new one? I tried reattaching a month or two ago and I could not do it via SSL. Was it fixed or it is a BOINC, not a CPDN issue?

This was discussed, but I can't find where now.
Basically, they don't want new users signing up to the new site until it's tested.

This was discussed, but I can't find where now.
Basically, they don't want new users signing up to the new site until it's tested.

I recall the discussion, so it still under test.

Sorry, I meant an email discussion with the project people.
And the people doing the testing, are the users on this project.
So far, no one has reported any problems with the new set up.

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.

This is BASIC housekeeping and best-practices.

You wouldn't open a shop and not put locks on the doors and respond "we'll get around to it."

Secure. Your. Infrastructure. Please.

The continuing excuses after MONTHS of concern are pathetic and call into question the leadership and expertise of the IT strategy and personnel of this organization.

The project upgraded to the new SSL late last year.

If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how.

That has nothing to do that the login page on THIS webserver(s) doesn't/don't have an SSL cert to process logins to get to your user account and other admin functions.

Running a webserver in 2017 w/o an SSL cert AND accepting logins for processing of account details is a declaration of either ignorance, incompetence, or laziness.

One shouldn't have to dig though forum posts looking for kludges to manually reconfing their clients because the webserver admins aren't doing their jobs.