SSL Certificate

log in

Advanced search

Message boards : Bug reports : SSL Certificate

Author Message
NeuralMiner
Send message
Joined: 9 Jul 16
Posts: 1
Credit: 10,269
RAC: 308

Message 4027 - Posted: 1 Aug 2016, 22:48:57 UTC

Hello,

I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers.
It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future?

There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team.

The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133

noderaser
Avatar
Send message
Joined: 24 Dec 08
Posts: 88
Credit: 629,012
RAC: 2

Message 4042 - Posted: 13 Aug 2016, 4:01:55 UTC

Although the project has soldiered on, the admin hasn't been around for many months, and there haven't been any major changes in years.
____________

Profile Erkan Yilmaz
Send message
Joined: 1 Apr 09
Posts: 5
Credit: 27,107
RAC: 4

Message 4096 - Posted: 2 Sep 2016, 10:28:18 UTC - in response to Message 4042.

1 month passed, and still no response :-(

It seems nobody of the staff considers our security as an important issue ?

Profile Erkan Yilmaz
Send message
Joined: 1 Apr 09
Posts: 5
Credit: 27,107
RAC: 4

Message 4097 - Posted: 4 Sep 2016, 9:48:50 UTC - in response to Message 4096.
Last modified: 4 Sep 2016, 9:51:19 UTC

Well, the project admin is active and replies in other threads. (1)

So, we can conclude he has no interest in taking care of this security issue :-( (2)
I will also PM him now.


(1) http://www.enigmaathome.net/forum_user_posts.php?userid=1
(2) will note this in: https://cryptocointalk.com/topic/49384-enigmahome/

Profile TJM
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 25 Aug 07
Posts: 734
Credit: 21,951,823
RAC: 19,078

Message 4098 - Posted: 4 Sep 2016, 14:53:15 UTC - in response to Message 4097.
Last modified: 4 Sep 2016, 14:55:03 UTC

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.
____________
M4 Project homepage
M4 Project wiki

Customminer
Send message
Joined: 3 Apr 14
Posts: 1
Credit: 502,066
RAC: 0

Message 4099 - Posted: 4 Sep 2016, 15:52:17 UTC - in response to Message 4098.
Last modified: 4 Sep 2016, 15:52:34 UTC

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.

The HTTPS certificate will be installed wherever you have installed the Apache web server to.

You should check out letsencrypt: https://letsencrypt.org/ It's a free SSL cert authority that's backed by multiple fortune 500 companies.

I used EFF's Certbot to install letsencrypt, it was quite easy: https://certbot.eff.org/

Profile TJM
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 25 Aug 07
Posts: 734
Credit: 21,951,823
RAC: 19,078

Message 4111 - Posted: 26 Sep 2016, 15:08:56 UTC - in response to Message 4099.
Last modified: 26 Sep 2016, 15:09:26 UTC

It will take some time to implement SSL here. I'll probably use let's encrypt certificate, but I need to do a few tricks to maintain compatibility with older clients. This is a project with one of the lowest hardware requirements (the app itself requires less resources than BOINC core client) and there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.

My plan is:
- redirect web browsers to https for all webpages
- redirect 7.x clients to ssl url of scheduler/file_upload_handler while leaving original scheduler url not changed
- leave the original scheduler url untouched, for older clients.
- download directory will probably still use plain http

It will however take some time to get a working config, as it requires lots of testing.
____________
M4 Project homepage
M4 Project wiki

lanbrown
Send message
Joined: 22 Aug 11
Posts: 63
Credit: 104,003,931
RAC: 216,833

Message 4132 - Posted: 17 Oct 2016, 0:19:36 UTC - in response to Message 4111.

there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.


They'll handle SSL as SSL has been around for many years. The older clients will not support TLS 1.0, TLS 1.1 and TLS 1.2. Also, the current security best practices is to use a SHA2 cert and TLS 1.2 only. Windows XP supports TLS 1.2 (not enabled by default in IE though) and a patch was required to get SHA2 certs compatibility. So to support older clients you are looking at a cert that many CA's won't even issue. So then the question is, is encryption worth the loss of older clients? The majority of what is sent back and forth are WU's and results; nothing in those is worth encrypting. The only thing worth encrypting would be the login aspect of it all.

With the project coming to a close in a year or under, it doesn't seem to be really matter to me if there is an SSL cert or not.


Post to thread

Message boards : Bug reports : SSL Certificate


Return to Enigma@Home main page


Copyright © 2017 TJM