HTTPS for Master URL please

Message boards : Number crunching : HTTPS for Master URL please
Message board moderation

To post messages, you must log in.

AuthorMessage
Bryan Quigley

Send message
Joined: 5 Mar 20
Posts: 3
Credit: 16,686
RAC: 0
Message 3122 - Posted: 1 Oct 2021, 17:28:28 UTC

This would ensure no information is transmitted in plain text and reduce the attack possibilities against client computers. I know a lot of info is already transmitted encrypted, but the initial connection is a weak point.

For older clients, it requires a detach and reattach. For newer clients it will handle adding HTTPS itself. (See https://github.com/BOINC/boinc/commit/b695ca2c05c42814bd832d17134dfefd4c9969ac)

I've pledged to contribute my resources to any projects that switch as a way to help mitigate any potential losses (I'm hoping others join me on that). See BOINC thread here: https://github.com/BOINC/boinc/issues/1345
ID: 3122 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1188
Credit: 228,221,867
RAC: 225,724
Message 3123 - Posted: 2 Oct 2021, 15:33:00 UTC - in response to Message 3122.  

Our server is using SSL and http requests are automatically redirected to https. So I am a little confused here. Are you referring to the scheduler requests that occur from within the client?

I tried to change the urls in the config file a year or 2 ago. It ended up causing all kinds of connection problems with users and brought the project to a stand still. So I am a little hesitant to do that again.
ID: 3123 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 175
Credit: 156,175,125
RAC: 54,423
Message 3124 - Posted: 2 Oct 2021, 21:26:14 UTC - in response to Message 3123.  

Please keep an eye on future developments - specifically, https://github.com/BOINC/boinc/pull/4539, "all master URL update to https".

David Anderson wrote that yesterday, when he should have been fixing a problem caused by the expiry of an SSL certificate the day before.

Judging by his comment, "Note: code you wrote a long time ago sometimes doesn't seem to make any sense at all", I don't expect this feature to be fully tested in time for the emergency release we expect in the next few days, but there's hope that the problems you encountered will be reduced when the next recommended release reaches widespread coverage,
ID: 3124 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Bryan Quigley

Send message
Joined: 5 Mar 20
Posts: 3
Credit: 16,686
RAC: 0
Message 3125 - Posted: 2 Oct 2021, 21:30:45 UTC - in response to Message 3123.  

Yes, the master_url (https://numberfields.asu.edu/NumberFields/get_project_config.php) or project url that BOINC does the initial connection with.

2 years ago the patch for handling http->https changes automatically wasn't there. Depending on how many users have upgraded to a version that includes it, it should go much better. (Also importantly, your cert doesn't seem affected by the recent BOINC CA issues..)
ID: 3125 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 175
Credit: 156,175,125
RAC: 54,423
Message 3128 - Posted: 3 Oct 2021, 7:39:29 UTC

Another reason for not acting too precipitately: the SSL expiry problem only affected clients running on the Windows platform. They use a static ca-bundle.crt file, which can't be automatically updated. Other platforms use the operating system's security bundle, so they get updates with system updates.

The emergency release we are expecting 'real soon now' will be for Windows only. The http->https patch will only be fully effective when a planned release is made across all platforms. That's been overdue for a while, but there's no sign of a plan for when it might take place.
ID: 3128 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Eric Driver
Project administrator
Project developer
Project tester
Project scientist

Send message
Joined: 8 Jul 11
Posts: 1188
Credit: 228,221,867
RAC: 225,724
Message 3132 - Posted: 3 Oct 2021, 17:38:58 UTC - in response to Message 3128.  

It sounds like I should wait until the patch is available to all platforms.
ID: 3132 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Bryan Quigley

Send message
Joined: 5 Mar 20
Posts: 3
Credit: 16,686
RAC: 0
Message 3179 - Posted: 28 Nov 2021, 7:27:55 UTC

The Windows version 7.6.20 should make the http->https seamless (has been out for some time) - it did include the previously mentioned patch.

Mac/Linux users likely still have to do the detach/re-attach dance (it's unlikely to reach all Linux users for a while - and there isn't a new Mac build available yet).
ID: 3179 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote
Richard Haselgrove

Send message
Joined: 28 Oct 11
Posts: 175
Credit: 156,175,125
RAC: 54,423
Message 3180 - Posted: 28 Nov 2021, 8:56:19 UTC - in response to Message 3179.  

Project admins should pester David Anderson to ask why there is still no sign of a v7.18 release for all platforms.
ID: 3180 · Rating: 0 · rate: Rate + / Rate - Report as offensive     Reply Quote

Message boards : Number crunching : HTTPS for Master URL please


Main page · Your account · Message boards


Copyright © 2022 Arizona State University