1)
Questions and Answers :
Wish list :
SSL Certificate
(Message 55896)
Posted 14 Mar 2017 by old_user715369 Post: The project upgraded to the new SSL late last year. Where is the thread? I cannot find it. Any thoughts on going HTTPS-only? Is the bureaucracy that complicated to acquire $20 SSL certs to protect login credentials. SSL encryption is pretty basic security though, sure nothing is safe from highly sophisticated hackers, but an account breached on one project can snowball in the BOINC community. User -> [MITM Attack: Intercept password_hash --> Access Boincstats w/ password_hash (establish active user project list w/ identical password_hash) -> access other projects: exfiltrate account_keys (permanent account compromise established)] -> BOINC Web Server. Hopefully in the time that SSL wasn't enabled, no state-sponsored org (anywhere in the world) intercepted vulnerable BOINC packets. It'd be pretty neat if you could reset/refresh account key... |
2)
Questions and Answers :
Wish list :
SSL Certificate
(Message 54738)
Posted 2 Sep 2016 by old_user715369 Post: Hey, Can you provide an update on the full Oxford security review please? Cheers. |
3)
Questions and Answers :
Wish list :
SSL Certificate
(Message 54641)
Posted 15 Aug 2016 by old_user715369 Post: This matter has been dealt with privately. You mean it's being dealt with privately rather than it's been dealt with? Because SSL hasn't been enabled yet: https://dev.ssllabs.com/ssltest/analyze.html?d=climateapps2.oerc.ox.ac.uk Thanks for looking into this issue for us :) Does BOINC's Virtual Box provide a solution for the lack of SSL certificates? I downloaded BOINC with the recommended VM additive but do not use it. If you're able to write files to within the Virtual Box image, then you should be able to use EFF's Certbot software (https://certbot.eff.org/) to easily enable SSL encryption (Grade A) for free. |
©2024 climateprediction.net