HTTPS Support

Message boards : Bug reports : HTTPS Support

To post messages, you must log in.

AuthorMessage
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4300 - Posted: 8 Mar 2017, 15:58:52 UTC
Last modified: 8 Mar 2017, 16:01:27 UTC

Firefox 52 has introduced a security warning for insecure login pages. Other popular browsers have similar warnings. In the near future, browsers may start blocking insecure login pages altogether.

https://i.imgur.com/eid37k0.png

The EFF has built a tool called CertBot that can automatically configure an Apache or Nginx server with a free HTTPS certificate from the Lets Encrypt authority. Please consider adding HTTPS support to this website.

More information on why encryption is important: https://www.eff.org/encrypt-the-web

More info on CertBot: https://certbot.eff.org
ID: 4300 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4301 - Posted: 8 Mar 2017, 18:13:38 UTC

There was already a thread about this, you can read it here:
http://www.enigmaathome.net/forum_thread.php?id=799#4027

It is not a trivial process to just add HTTPS. The certs being issued now may not be compatible with older clients, some of which are crunching this project. SHA-256 may not be supported and then if you really want to be secure, you need TLS 1.2, which also may not be supported. Forget about XP with default settings. Then you run into which cipher to use and if you want security, XP will never be able to connect at all.

Also, you do realize that the current estimate is that this project will be over as all WU's will be crunched by September/October of this year, right? This project could be over by the next WU as well.

As for Let's Enrypt. I wonder how long their roots will be trusted. In the past 6-months, they have issued certs with PayPal in the name. Someone went through and found that all but one of them was used for phishing activities. The stance from Let's Encrypt is that this is not their problem as the CA is not the right place to enforce such things. Other CA's do in fact enforce such things but they are known to allow some slip through. The big difference, if you take all of the CA's but exclude Let's Encrypt and add all of the certs they issued that had PayPal in the name, Let's Encrypt far surpasses them and that is only looking at the last 6 months. There are nearly 1,000 Let's Encrypt certificates that have PayPal in the name but it wasn't PayPal that requested the certs. The extimate is that it will go from 1,000 to 2,000 by next month all via Let's Encrypt. If browsers decide to no longer trust Let's Encrypt roots, you wouldn't be able to access this site if it was secured.

IMO, as someone that deals with security. This project is not worth encrypting. Use a password here that you don't use elsehwere and live with it. The effort required to put a cert on this site is not worth it for something that can end at anytime and will be concluded in a matter of months anyway.

What are you trying to protect? Your password? Proper security would be not to use the same password anyway. So what could someone actually get from knowing your password? See how many WU's you crunched, your computers, your email address? How are they going to get it? WLAN? Isn't your WLAN properly secured? After that, it is all wired connectivity.
ID: 4301 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4302 - Posted: 8 Mar 2017, 18:53:39 UTC - in response to Message 4301.  
Last modified: 8 Mar 2017, 19:08:37 UTC

My bad, I didn't use the right search term.

I understand HTTPS isn't just a click of a button, but I don't see the problem with adding it. Windows XP is very outdated, no longer supported by Microsoft, and also no longer supports any major web browser. (Firefox 52 is the last version to support XP)

Anyone running a computer old enough to not understand HTTPS is not secure, and shouldn't have an Internet connection. A computer like that wouldn't even be good for basic web browsing.

As far as Let's Encrypt being trustworthy, Symantec hasn't been very diligent either as if late: https://arstechnica.com/security/2017/01/already-on-probation-symantec-issues-more-illegit-https-certificates/

It's not a question of "is it worth encrypting." Look at websites like Ars Technica or HowToGeek. What are you protecting?

Using a different password isn't feasible for everyone either, as BOINC account managers require each project to have the same password.

IMO, as someone who deals with security and encryption, I belive encryption should be used wherever and whenever possible.
ID: 4302 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4304 - Posted: 11 Mar 2017, 4:18:47 UTC - in response to Message 4302.  

I understand HTTPS isn't just a click of a button, but I don't see the problem with adding it. Windows XP is very outdated, no longer supported by Microsoft, and also no longer supports any major web browser. (Firefox 52 is the last version to support XP)


Because it has already been discussed in that how TJM has the site setup, he just cannot easily add it.

But yet there are windows XP machines contributing.

Anyone running a computer old enough to not understand HTTPS is not secure, and shouldn't have an Internet connection. A computer like that wouldn't even be good for basic web browsing.


So you are willing to buy poor people new computers? That is very generous of you.

There are also PowerPC machines that are contributing.

Even Windows Vista doesn't support TLS 1.2 out of the box, it needs to be enabled. This is even with the last version of IE available for it. It was not until Windows 8.1 that TLS 1.2 was enabled by default.

People are also willing to volunteer their computer(s) to this project.

As far as Let's Encrypt being trustworthy, Symantec hasn't been very diligent either as if late: https://arstechnica.com/security/2017/01/already-on-probation-symantec-issues-more-illegit-https-certificates/


Yep, and Symantec has been threatened to be revoked too. Do you think Let's Encrypt will be immune from it?

Symantec is overpriced, always have been too.

It's not a question of "is it worth encrypting." Look at websites like Ars Technica or HowToGeek. What are you protecting?


Not my sites, so I'm not protecting anything in regards to them.

Using a different password isn't feasible for everyone either, as BOINC account managers require each project to have the same password.


That is a decision that you have made to use a BOINC account manager. You are also trusting yet another place and another place that can get hacked. Not very secure.

IMO, as someone who deals with security and encryption, I belive encryption should be used wherever and whenever possible.


You "belive" all you want about encryption, it won't be coming to this site soon. The Android client won't run on anything 5 or higher. If there were years left of computing, it would make sense, but you are talking 6 months or less before all WU's are completed or it could be the very next WU. This isn't like some research projects that there is a fixed number of WU's and they will crunch all of them. This project, once the message has been broken, it is over. Of course, the message may still not be broken even after all of the WU's have been completed.

Given that the owner of the project is rarely here, all the more reason why encryption is a dream.

If encryption is a requirement for you, there are plenty of other projects that support it.

If you look at your RAC, if TJM enabled encryption, he would lose far more processing power than you contribute. Given that he is paying the costs to run this project out of his pocket, extending the complete date hits him financially.
ID: 4304 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4305 - Posted: 11 Mar 2017, 4:52:04 UTC

I was just suggesting an idea. You don't need to be so condescending. I saw HTTPS on many other BOINC projects, and thought I'd make a thread about it here.
ID: 4305 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4306 - Posted: 11 Mar 2017, 18:24:43 UTC

An idea that was already covered? An idea that costs someone else money and their time? An idea that would reduce computing power on the project? Going with your RAC and using the absolute best case scenario, you do a maximum of 250 WU's per day.

By default 4.1 to 4.4.4 of Android doesn't have TLS 1.2 support enabled by default, neither does any version of Windows until 8.1. Previous versions of Android don't even support TLS 1.2. Android 5 isn't supported by this project, so 100% of Android computing is 4.4.4 or lower. Security best practices state SHA-256 cert, TLS 1.2 and high cipher strength. In the past 24 hours, 5,630 WU's have been completed on Android devices or over 20 times what you contributed.

How about PowerPC? 280 WU's in the last 24 hours; 30 more than you.

OS X 10.8 also didn't support TLS 1.2. So any Mac not running Mavericks (10.9) or later would have issues. Leopard (10.5) was the last version of OS X to support the PowerPC.

Other projects that have encryption, they ran into issues when the CA's started issuing certs that were SHA-256. They saw some contributors having issues with SHA-256 certs compared to the previous SHA-1 certs. This was due to older systems not supporting SHA-256 certs. CA's won't issue SHA-1 certs anymore.

Either TJM would need to look at the browser string to control encryption being used or not, not apply encryption to everything. He could just do the main website but some people still might have issues. The backend for WU's would still need to be unencrypted. If you allow encrypted and unencrypted, since you are worried about no encryption, someone could use that as an exploit and force the connection to no encryption. Even if TJM enabled encryption. He would need to support TLS 1.0 and TLS 1.1 for older systems. This means that POODLE could be used. If SSL 3 is included, you have can have heartbleed. Obviously there are OpenSSL releases that fix this, but they don't fix everything and all vulnerabilities related to TLS 1.0 and TLS 1.1. TLS 1.0 and 1.1 are considered weak and a vulnerable. TLS 1.0 and 1.1 means that you have to support SHA-1 as well, that is considered broken as $75k in cloud computing will generate a collision. A collision is no longer a possibility but a reality.
https://phys.org/news/2017-02-cwi-google-collision-industry-standard.html

No matter what encryption is used, your password is stored somewhere on the systems. If you are worried about your password, you should be asking how it is stored.

Cases where the passwords were breached:
Adobe http://www.zdnet.com/article/adobe-admits-2-9m-customer-accounts-have-been-compromised/
AOL http://corp.aol.com/news/aol-security-update
Ashly Madison http://thehackernews.com/2015/09/ashley-madison-password-cracked.html
Friend Finder https://techcrunch.com/2016/11/13/friendfinder-hack-412-million-accounts-breached/
LinkedIn http://fortune.com/2016/05/18/linkedin-data-breach-email-password/

There are many, many more. So if someone really wanted to get passwords or other information, they would try to target the database, not the communication. They could get far more user information by getting the database.
ID: 4306 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4336 - Posted: 27 Mar 2017, 17:07:56 UTC
Last modified: 27 Mar 2017, 17:08:19 UTC

If you can't update to support the latest security protocols, you are going to be left behind.

It's up to the project admin whether or not to support HTTPS. I understand that it will lock out older clients, but it's a trade-off that other projects have already made, so it's not automatically impossible just because you say so.

Any further discussion with you will just lead to circular reasoning. Given the current circumstances in the US where Congress is about to vote on getting rid of ISP privacy rules, I will take your previous advice and contribute to projects that employ proper security.
ID: 4336 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4337 - Posted: 27 Mar 2017, 20:17:07 UTC - in response to Message 4336.  

If you can't update to support the latest security protocols, you are going to be left behind.

It's up to the project admin whether or not to support HTTPS. I understand that it will lock out older clients, but it's a trade-off that other projects have already made, so it's not automatically impossible just because you say so.

Any further discussion with you will just lead to circular reasoning. Given the current circumstances in the US where Congress is about to vote on getting rid of ISP privacy rules, I will take your previous advice and contribute to projects that employ proper security.


As previously stated, these "older" clients do more work per day than you do. Since TJM pays the bills and you do not, so it is his call. From the sounds of it, it won't be done. Especially since no new WU's have been issued for a few days now. So if he doesn't have the time to constantly check to make sure things are running, I'm sure he has even less time to implement SSL/TLS/HTTPS or whatever you want to refer to it as.

Also, even with encryption, nothing really says it is actually secure.
ID: 4337 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4338 - Posted: 27 Mar 2017, 20:25:24 UTC - in response to Message 4337.  


As previously stated, these "older" clients do more work per day than you do.


Obviously, because these "older" client*s* are multiple, as in more than one. I am one person. Obviously a group of clients (older or newer) would do more work than me. I'm sure there are even single clients that do more work in a day than I do.

And here I thought maybe you were smart. Guess not.
ID: 4338 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4339 - Posted: 27 Mar 2017, 20:35:33 UTC - in response to Message 4338.  


As previously stated, these "older" clients do more work per day than you do.


Obviously, because these "older" client*s* are multiple, as in more than one. I am one person. Obviously a group of clients (older or newer) would do more work than me. I'm sure there are even single clients that do more work in a day than I do.

And here I thought maybe you were smart. Guess not.


So you want to get into name calling. I do more work than you do. It takes me 15 to 30 minutes to equal what you do per day.

The point was, making changes that removes older clients will extend the project completion time and that TJM will then need to pay more money out of his pocket. I would say that if you want security enabled, you pay the tab for the difference. Put your money where your mouth is. When someone else is paying the bill, it is easy to spend their money. If you had to pay the hosting fees, would you be so quick to say enable security?

I also find it rather funny that you are worried about security but using a third-party to control your clients. How do you know that they haven't been hacked and your password already compromised? You don't.
ID: 4339 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
SuperSluether

Send message
Joined: 1 Sep 14
Posts: 11
Credit: 1,123,799
RAC: 0
Message 4340 - Posted: 27 Mar 2017, 20:40:58 UTC - in response to Message 4339.  

Your stupidity amazes me. I never said I use a third-party to control my clients. But does that mean nobody uses them?

If I paid the hosting fees, I would gladly enable security. I'm not going to pay for something if it's not secure.

Obviously you do more work than I do. I've detached all my clients.

The project completion time is already being extended by the server not sending out work.

When new computers attach, they are likely newer. Who buys a new PowerPC or Android 4.4 device?

I have better things to do. Feel free to talk to yourself, I'm unsubscribing from the thread.
ID: 4340 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
lanbrown

Send message
Joined: 22 Aug 11
Posts: 63
Credit: 119,540,472
RAC: 0
Message 4342 - Posted: 27 Mar 2017, 22:12:28 UTC - in response to Message 4340.  

Good. You were worthless anyway, you complain but yet you want to do nothing but want others to do all of the work. I'm not a trash man and I'm pretty sure the same holds true for everyone else here, so now we don't have to take the trash out (i.e. YOU!)

There is another alternative, contact TJM and offer to take the project over. Then you will be paying the hosting fees and you can do as you please. Of course you won't do this as you don't want to do anything but complain.

I also find it funny that you try to sound like you know something but you don't know anything. First, you recommend Let's Encrypt and while doing little to no research behind it.

Then making asinine statements like this:
Anyone running a computer old enough to not understand HTTPS is not secure, and shouldn't have an Internet connection. A computer like that wouldn't even be good for basic web browsing.


How nice of you telling others what they should and should not be doing. A real standup guy.

Then you say this:
Using a different password isn't feasible for everyone either, as BOINC account managers require each project to have the same password.


Later on you stated:
I never said I use a third-party to control my clients.


Then a different password would have worked for you. So you were given a workaround and didn't feel the need to use it but still wanted to complain.

Then you make a thread on something that was already discussed because once again, you want others to do your work for you!

So, adios you lazy pile of refuse, you won't be missed!
ID: 4342 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Bug reports : HTTPS Support




Copyright © 2024 TJM