SSL Certificate

Message boards : Bug reports : SSL Certificate

To post messages, you must log in.

AuthorMessage
NeuralMiner

Send message
Joined: 9 Jul 16
Posts: 1
Credit: 47,432
RAC: 1
Message 4027 - Posted: 1 Aug 2016, 22:48:57 UTC

Hello,

I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers.
It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future?

There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team.

The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133
ID: 4027 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
noderaser
Avatar

Send message
Joined: 24 Dec 08
Posts: 88
Credit: 629,026
RAC: 0
Message 4042 - Posted: 13 Aug 2016, 4:01:55 UTC

Although the project has soldiered on, the admin hasn't been around for many months, and there haven't been any major changes in years.

ID: 4042 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Erkan Yilmaz

Send message
Joined: 1 Apr 09
Posts: 7
Credit: 27,107
RAC: 0
Message 4096 - Posted: 2 Sep 2016, 10:28:18 UTC - in response to Message 4042.  

1 month passed, and still no response :-(

It seems nobody of the staff considers our security as an important issue ?
ID: 4096 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Erkan Yilmaz

Send message
Joined: 1 Apr 09
Posts: 7
Credit: 27,107
RAC: 0
Message 4097 - Posted: 4 Sep 2016, 9:48:50 UTC - in response to Message 4096.  
Last modified: 4 Sep 2016, 9:51:19 UTC

Well, the project admin is active and replies in other threads. (1)

So, we can conclude he has no interest in taking care of this security issue :-( (2)
I will also PM him now.


(1) http://www.enigmaathome.net/forum_user_posts.php?userid=1
(2) will note this in: https://cryptocointalk.com/topic/49384-enigmahome/
ID: 4097 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile TJM
Project administrator
Project developer
Project scientist
Avatar

Send message
Joined: 25 Aug 07
Posts: 829
Credit: 33,343,338
RAC: 277,718
Message 4098 - Posted: 4 Sep 2016, 14:53:15 UTC - in response to Message 4097.  
Last modified: 4 Sep 2016, 14:55:03 UTC

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.
M4 Project homepage
M4 Project wiki
ID: 4098 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Customminer

Send message
Joined: 3 Apr 14
Posts: 1
Credit: 502,066
RAC: 0
Message 4099 - Posted: 4 Sep 2016, 15:52:17 UTC - in response to Message 4098.  
Last modified: 4 Sep 2016, 15:52:34 UTC

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.

The HTTPS certificate will be installed wherever you have installed the Apache web server to.

You should check out letsencrypt: https://letsencrypt.org/ It's a free SSL cert authority that's backed by multiple fortune 500 companies.

I used EFF's Certbot to install letsencrypt, it was quite easy: https://certbot.eff.org/
ID: 4099 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile TJM
Project administrator
Project developer
Project scientist
Avatar

Send message
Joined: 25 Aug 07
Posts: 829
Credit: 33,343,338
RAC: 277,718
Message 4111 - Posted: 26 Sep 2016, 15:08:56 UTC - in response to Message 4099.  
Last modified: 26 Sep 2016, 15:09:26 UTC

It will take some time to implement SSL here. I'll probably use let's encrypt certificate, but I need to do a few tricks to maintain compatibility with older clients. This is a project with one of the lowest hardware requirements (the app itself requires less resources than BOINC core client) and there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.

My plan is:
- redirect web browsers to https for all webpages
- redirect 7.x clients to ssl url of scheduler/file_upload_handler while leaving original scheduler url not changed
- leave the original scheduler url untouched, for older clients.
- download directory will probably still use plain http

It will however take some time to get a working config, as it requires lots of testing.
M4 Project homepage
M4 Project wiki
ID: 4111 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,338,433
RAC: 2,155
Message 4132 - Posted: 17 Oct 2016, 0:19:36 UTC - in response to Message 4111.  

there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.


They'll handle SSL as SSL has been around for many years. The older clients will not support TLS 1.0, TLS 1.1 and TLS 1.2. Also, the current security best practices is to use a SHA2 cert and TLS 1.2 only. Windows XP supports TLS 1.2 (not enabled by default in IE though) and a patch was required to get SHA2 certs compatibility. So to support older clients you are looking at a cert that many CA's won't even issue. So then the question is, is encryption worth the loss of older clients? The majority of what is sent back and forth are WU's and results; nothing in those is worth encrypting. The only thing worth encrypting would be the login aspect of it all.

With the project coming to a close in a year or under, it doesn't seem to be really matter to me if there is an SSL cert or not.
ID: 4132 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Bug reports : SSL Certificate




Copyright © 2017 TJM