climateprediction.net (CPDN) home page
Thread 'SSL Certificate'

Thread 'SSL Certificate'

Questions and Answers : Wish list : SSL Certificate
Message board moderation

To post messages, you must log in.

Previous · 1 · 2

AuthorMessage
ProfileDave Jackson
Volunteer moderator

Send message
Joined: 15 May 09
Posts: 4541
Credit: 19,039,635
RAC: 18,944
Message 55892 - Posted: 13 Mar 2017, 7:28:47 UTC - in response to Message 55888.  

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.


To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs.
ID: 55892 · Report as offensive     Reply Quote
LohPhat

Send message
Joined: 8 Feb 08
Posts: 5
Credit: 181,202
RAC: 0
Message 55893 - Posted: 13 Mar 2017, 15:45:05 UTC - in response to Message 55892.  

Weak.

"Oh people have been hacked, so lets not even use common-sense best practices."
ID: 55893 · Report as offensive     Reply Quote
old_user715369

Send message
Joined: 2 Apr 14
Posts: 3
Credit: 218,479
RAC: 0
Message 55896 - Posted: 14 Mar 2017, 19:07:50 UTC - in response to Message 55889.  
Last modified: 14 Mar 2017, 19:09:11 UTC

The project upgraded to the new SSL late last year.

If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how.


Where is the thread? I cannot find it. Any thoughts on going HTTPS-only?

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.


To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs.

SSL encryption is pretty basic security though, sure nothing is safe from highly sophisticated hackers, but an account breached on one project can snowball in the BOINC community.

User -> [MITM Attack: Intercept password_hash --> Access Boincstats w/ password_hash (establish active user project list w/ identical password_hash) -> access other projects: exfiltrate account_keys (permanent account compromise established)] -> BOINC Web Server.

Hopefully in the time that SSL wasn't enabled, no state-sponsored org (anywhere in the world) intercepted vulnerable BOINC packets. It'd be pretty neat if you could reset/refresh account key...
ID: 55896 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55898 - Posted: 14 Mar 2017, 21:26:49 UTC - in response to Message 55896.  

The posts are deliberately low key because of the hackers.
And a major infiltration from a certain place was the reason that we lost our php board a few years ago.

My post here has the clue for the new site.

And this post has some more about using that.

The BOINC sign up matter was noticed right near the start of all of this, and I asked IT about it.
It's not going to change immediately, because they don't/didn't want new users getting onto a new site that may not have been working correctly. So all the of people who have been running for a long time have been asked to test it. So far there's been no reports of problems.
The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge.

And it's not just "our" small part of the University of Oxford that was upgraded. It was ALL of it.
ID: 55898 · Report as offensive     Reply Quote
bernard_ivo

Send message
Joined: 18 Jul 13
Posts: 438
Credit: 25,750,792
RAC: 7,536
Message 55914 - Posted: 16 Mar 2017, 12:52:06 UTC - in response to Message 55898.  

The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge.


I guess this could be resolved by using BOINC's notification once project people decide to switch to SSL. A notification to BAM! may well be needed as well as several of the projects that run through SSL haven't been updated on BAM! which causes double attaching and renders BAM! useless.
ID: 55914 · Report as offensive     Reply Quote
LohPhat

Send message
Joined: 8 Feb 08
Posts: 5
Credit: 181,202
RAC: 0
Message 55917 - Posted: 17 Mar 2017, 2:56:06 UTC

Why doesn't http://www.climateprediction.net/ redirect to https://www.cpdn.org?

BOINC clients are still going to the non-SSL protected site. When you click on Account info, you're taken to the insecure site.

Redirects could take care of this issue.
ID: 55917 · Report as offensive     Reply Quote
Les Bayliss
Volunteer moderator

Send message
Joined: 5 Sep 04
Posts: 7629
Credit: 24,240,330
RAC: 0
Message 55918 - Posted: 17 Mar 2017, 4:23:12 UTC - in response to Message 55917.  

You didn't read my post 2 down from here, did you!
ID: 55918 · Report as offensive     Reply Quote
Previous · 1 · 2

Questions and Answers : Wish list : SSL Certificate

©2024 cpdn.org