Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.

To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs.

Weak.

"Oh people have been hacked, so lets not even use common-sense best practices."

The project upgraded to the new SSL late last year.

If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how.

Where is the thread? I cannot find it. Any thoughts on going HTTPS-only?

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.

To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs.

SSL encryption is pretty basic security though, sure nothing is safe from highly sophisticated hackers, but an account breached on one project can snowball in the BOINC community.

User -> [MITM Attack: Intercept password_hash --> Access Boincstats w/ password_hash (establish active user project list w/ identical password_hash) -> access other projects: exfiltrate account_keys (permanent account compromise established)] -> BOINC Web Server.

Hopefully in the time that SSL wasn't enabled, no state-sponsored org (anywhere in the world) intercepted vulnerable BOINC packets. It'd be pretty neat if you could reset/refresh account key...

The posts are deliberately low key because of the hackers.
And a major infiltration from a certain place was the reason that we lost our php board a few years ago.

My post here has the clue for the new site.

And this post has some more about using that.

The BOINC sign up matter was noticed right near the start of all of this, and I asked IT about it.
It's not going to change immediately, because they don't/didn't want new users getting onto a new site that may not have been working correctly. So all the of people who have been running for a long time have been asked to test it. So far there's been no reports of problems.
The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge.

And it's not just "our" small part of the University of Oxford that was upgraded. It was ALL of it.

The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge.

I guess this could be resolved by using BOINC's notification once project people decide to switch to SSL. A notification to BAM! may well be needed as well as several of the projects that run through SSL haven't been updated on BAM! which causes double attaching and renders BAM! useless.

Why doesn't http://www.climateprediction.net/ redirect to https://www.cpdn.org?

BOINC clients are still going to the non-SSL protected site. When you click on Account info, you're taken to the insecure site.

Redirects could take care of this issue.

You didn't read my post 2 down from here, did you!