climateprediction.net home page
Posts by old_user715369

Posts by old_user715369

1) Questions and Answers : Wish list : SSL Certificate (Message 55896)
Posted 14 Mar 2017 by old_user715369
Post:
The project upgraded to the new SSL late last year.

If you want to run it on the secure server, then go to the relevant thread in Number crunching to find out how.


Where is the thread? I cannot find it. Any thoughts on going HTTPS-only?

Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials.


To me, a certificate, is merely something that says the locks are there. I am sure the various banks that have been hacked over the past two or three years had SSL certs.

SSL encryption is pretty basic security though, sure nothing is safe from highly sophisticated hackers, but an account breached on one project can snowball in the BOINC community.

User -> [MITM Attack: Intercept password_hash --> Access Boincstats w/ password_hash (establish active user project list w/ identical password_hash) -> access other projects: exfiltrate account_keys (permanent account compromise established)] -> BOINC Web Server.

Hopefully in the time that SSL wasn't enabled, no state-sponsored org (anywhere in the world) intercepted vulnerable BOINC packets. It'd be pretty neat if you could reset/refresh account key...
2) Questions and Answers : Wish list : SSL Certificate (Message 54738)
Posted 2 Sep 2016 by old_user715369
Post:
Hey,

Can you provide an update on the full Oxford security review please?

Cheers.
3) Questions and Answers : Wish list : SSL Certificate (Message 54641)
Posted 15 Aug 2016 by old_user715369
Post:
This matter has been dealt with privately.

You mean it's being dealt with privately rather than it's been dealt with?

Because SSL hasn't been enabled yet: https://dev.ssllabs.com/ssltest/analyze.html?d=climateapps2.oerc.ox.ac.uk

Thanks for looking into this issue for us :)

Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it.

If you're able to write files to within the Virtual Box image, then you should be able to use EFF's Certbot software (https://certbot.eff.org/) to easily enable SSL encryption (Grade A) for free.




©2024 climateprediction.net