Questions and Answers : Wish list : SSL Certificate
Message board moderation
Previous · 1 · 2
Author | Message |
---|---|
Send message Joined: 15 May 09 Posts: 4541 Credit: 19,039,635 RAC: 18,944 |
Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials. To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs. |
Send message Joined: 8 Feb 08 Posts: 5 Credit: 181,202 RAC: 0 |
Weak. "Oh people have been hacked, so lets not even use common-sense best practices." |
Send message Joined: 2 Apr 14 Posts: 3 Credit: 218,479 RAC: 0 |
The project upgraded to the new SSL late last year. Where is the thread? I cannot find it. Any thoughts on going HTTPS-only? Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials. SSL encryption is pretty basic security though, sure nothing is safe from highly sophisticated hackers, but an account breached on one project can snowball in the BOINC community. User -> [MITM Attack: Intercept password_hash --> Access Boincstats w/ password_hash (establish active user project list w/ identical password_hash) -> access other projects: exfiltrate account_keys (permanent account compromise established)] -> BOINC Web Server. Hopefully in the time that SSL wasn't enabled, no state-sponsored org (anywhere in the world) intercepted vulnerable BOINC packets. It'd be pretty neat if you could reset/refresh account key... |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
The posts are deliberately low key because of the hackers. And a major infiltration from a certain place was the reason that we lost our php board a few years ago. My post here has the clue for the new site. And this post has some more about using that. The BOINC sign up matter was noticed right near the start of all of this, and I asked IT about it. It's not going to change immediately, because they don't/didn't want new users getting onto a new site that may not have been working correctly. So all the of people who have been running for a long time have been asked to test it. So far there's been no reports of problems. The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge. And it's not just "our" small part of the University of Oxford that was upgraded. It was ALL of it. |
Send message Joined: 18 Jul 13 Posts: 438 Credit: 25,750,792 RAC: 7,536 |
The problem with this is, how many of the people who DO look at this board regularly have shifted over, and how many are just waiting? And the number of people who never look at these posts is probably huge. I guess this could be resolved by using BOINC's notification once project people decide to switch to SSL. A notification to BAM! may well be needed as well as several of the projects that run through SSL haven't been updated on BAM! which causes double attaching and renders BAM! useless. |
Send message Joined: 8 Feb 08 Posts: 5 Credit: 181,202 RAC: 0 |
Why doesn't http://www.climateprediction.net/ redirect to https://www.cpdn.org? BOINC clients are still going to the non-SSL protected site. When you click on Account info, you're taken to the insecure site. Redirects could take care of this issue. |
Send message Joined: 5 Sep 04 Posts: 7629 Credit: 24,240,330 RAC: 0 |
You didn't read my post 2 down from here, did you! |
©2024 cpdn.org