Hello,

I'm a member of the Gridcoin community, and we're currently looking into providing better security for our crunchers.
It looks like this project isn't currently using an SSL certificate. Are there any plans to remedy this in the near future?

There's a chance that not having an SSL cert may lead to this project being removed from the project whitelist, which means it will no longer be crunched by the Gridcoin team.

The discussion regarding the whitelist can be found here: https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/?p=221133

Although the project has soldiered on, the admin hasn't been around for many months, and there haven't been any major changes in years.

---

Click Here to see My Detailed BOINC Stats

1 month passed, and still no response :-(

It seems nobody of the staff considers our security as an important issue ?

Well, the project admin is active and replies in other threads. (1)

So, we can conclude he has no interest in taking care of this security issue :-( (2)
I will also PM him now.


(1) http://www.enigmaathome.net/forum_user_posts.php?userid=1
(2) will note this in: https://cryptocointalk.com/topic/49384-enigmahome/

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.

---

M4 Project homepage
M4 Project wiki

I have no idea if https setup is possible with my current config. Since the early days the BOINC server is hidden behind another server, which acts like a proxy and load balancer. It handles some stuff (static files) on it's own and the rest is forwarded to the BOINC server via two VPNs.
Now the question is, where would I have to install the certificate. I think it would work installed just on the frontend server but I've never tested a setup like this so I'm not sure.

Also, are there any cheap and reliable ssl certificates ? My budget is limited.

The HTTPS certificate will be installed wherever you have installed the Apache web server to.

You should check out letsencrypt: https://letsencrypt.org/ It's a free SSL cert authority that's backed by multiple fortune 500 companies.

I used EFF's Certbot to install letsencrypt, it was quite easy: https://certbot.eff.org/

It will take some time to implement SSL here. I'll probably use let's encrypt certificate, but I need to do a few tricks to maintain compatibility with older clients. This is a project with one of the lowest hardware requirements (the app itself requires less resources than BOINC core client) and there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.

My plan is:
- redirect web browsers to https for all webpages
- redirect 7.x clients to ssl url of scheduler/file_upload_handler while leaving original scheduler url not changed
- leave the original scheduler url untouched, for older clients.
- download directory will probably still use plain http

It will however take some time to get a working config, as it requires lots of testing.

---

M4 Project homepage
M4 Project wiki

there are many very old clients attached (even from the 5.x era), which probably won't handle ssl at all or won't support let's encrypt certificate.

They'll handle SSL as SSL has been around for many years. The older clients will not support TLS 1.0, TLS 1.1 and TLS 1.2. Also, the current security best practices is to use a SHA2 cert and TLS 1.2 only. Windows XP supports TLS 1.2 (not enabled by default in IE though) and a patch was required to get SHA2 certs compatibility. So to support older clients you are looking at a cert that many CA's won't even issue. So then the question is, is encryption worth the loss of older clients? The majority of what is sent back and forth are WU's and results; nothing in those is worth encrypting. The only thing worth encrypting would be the login aspect of it all.

With the project coming to a close in a year or under, it doesn't seem to be really matter to me if there is an SSL cert or not.