HTTPS/SSL certificate updated


Advanced search

Message boards : Server backend and mirrors : HTTPS/SSL certificate updated

1 · 2 · Next
Author Message
Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 12038 - Posted: 2 Oct 2013, 17:01:54 UTC

We've updated the server's SSL certificate. You can now experimentally access BURP over an encrypted connection by using this URL:
https://burp.renderfarming.net

Please try it out and throw a post in this thread if you have any issues with the secure site in your favourite browser. Eventually we may switch to use https for all logged in users.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 13269 - Posted: 21 Sep 2014, 8:56:30 UTC - in response to Message 12038.

Our SSL certificate has been updated

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13270 - Posted: 21 Sep 2014, 9:36:36 UTC

All the things currently wrong:


    [*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
    [*]The front page has mixed http content.
    [*]You don't have a cypher priority, or the list is flawed.
    [*]You have insecure cyphers as an option that should be removed e.g. TLS_ECDH_anon_* and TLS_RSA_WITH_DES_CBC_SHA.
    [*]You have SSL3 enabled making SSL downgrade attacks more effective.



You can build a strong cypher priority by following this guide: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Here is a general all round guide worth reading: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf

Overall you can see all the issues with your implementation summarized on this test page: https://www.ssllabs.com/ssltest/analyze.html?d=burp.renderfarming.net&s=78.143.110.10

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13292 - Posted: 29 Sep 2014, 22:35:51 UTC - in response to Message 13270.

Another flaw:
The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page.

I realize this isn't high priority but these things should be on the to-do. The cypher list change is really easy though, just follow the guide I linked, 5 minutes and done.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 13294 - Posted: 30 Sep 2014, 16:53:47 UTC - in response to Message 13270.
Last modified: 30 Sep 2014, 16:58:10 UTC

[*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

Noted for 2015 cert upgrade

[*]The front page has mixed http content.

Not just the frontpage - there is a bunch of BOINC related issues with regard to icons etc. This is something that is on the radar and a patch will be sent upstream once it is sorted out.

[*]You don't have a cypher priority, or the list is flawed.
[*]You have insecure cyphers as an option that should be removed e.g. TLS_ECDH_anon_* and TLS_RSA_WITH_DES_CBC_SHA.
[*]You have SSL3 enabled making SSL downgrade attacks more effective.

Indeed, thanks for the heads-up! This was hopefully fixed about an hour ago. There is no point in allowing people to negotiate an unsafe cipher - then they may as well use HTTP.

The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page.

Noted

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13299 - Posted: 1 Oct 2014, 17:36:44 UTC

Nice!

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13795 - Posted: 2 May 2015, 17:09:30 UTC

Is it intended that when I try to connect the project in the BOINC client using the https link that it seems to fall back to http?

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 13796 - Posted: 2 May 2015, 19:17:04 UTC - in response to Message 13795.

Yes, although the plan is to eventually support both

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 13798 - Posted: 2 May 2015, 22:11:16 UTC - in response to Message 13796.

Yes, although the plan is to eventually support both


What is it that needs changed to be able to support it?

I'm using it for other projects without issues. I thought it was a simple case of just having your server support TLS connections.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 14094 - Posted: 14 Sep 2015, 20:00:20 UTC
Last modified: 14 Sep 2015, 20:09:23 UTC

The server certificate was updated; this time with slightly stronger keys.

More SSL experiments coming up in the next year or so - in particular the part of the frontend that handles the BOINC connections should now be compatible with encrypted connections, they are just not turned on yet.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14182 - Posted: 24 Nov 2015, 12:27:32 UTC - in response to Message 14094.

The server certificate was updated; this time with slightly stronger keys.

More SSL experiments coming up in the next year or so - in particular the part of the frontend that handles the BOINC connections should now be compatible with encrypted connections, they are just not turned on yet.


Do you know if we will need to re-add the project in BOINC when this is enabled?

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 14185 - Posted: 24 Nov 2015, 16:42:49 UTC - in response to Message 14182.
Last modified: 24 Nov 2015, 16:50:14 UTC

You can but it will not be necessary.

The status on that is that encrypted scheduler requests have now been enabled for a small group of test users.

If you want to be part of the early tests (now) then you can find the file called "client_state.xml" in your BOINC directory. Stop BOINC, open the file and add an "s" to "http" in the scheduler URL for BURP. Ask BOINC to restart. This encrypts scheduler requests.

For now (and until https is enabled on everything for everyone) you will get this notice if you also change the master URL in "account_burp.renderfarming.net.xml":
24-11-2015 16:22:27 | BURP | You used the wrong URL for this project. When convenient, remove this project, then add http://burp.renderfarming.net/
If you don't like that notice you can skip that part.

If you do both then data is encrypted on everything but file downloads (which are publicly cacheable on proxies anyways and are intentionally not encrypted).

Post back with any issues if you run into anything.

ps. Some of the gallery content on the site is currently not HTTPS due to the caching system being offline.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14186 - Posted: 24 Nov 2015, 22:38:31 UTC

Will file downloads ever also be encrypted?

When I clicked reply to this thread whilst browsing in https, logged in securely, I was forwarded to the http version of the site.

Same thing happens when I view a project in server status and click the "frames" page.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 14187 - Posted: 26 Nov 2015, 16:24:55 UTC - in response to Message 14186.

Will file downloads ever also be encrypted?

No. Ever is such a strong word, though. Currently there are no intentions to do that, no.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14197 - Posted: 7 Dec 2015, 12:23:23 UTC

Same thing when browsing to account settings and logging in.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14200 - Posted: 9 Dec 2015, 13:40:05 UTC

Would you be able to change/fix the downloaded XML files to point to https forum links/images/etc?

e.g. image URLs in sched_reply_burp.renderfarming.net.xml
website links in master_burp.renderfarming.net.xml

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 14202 - Posted: 9 Dec 2015, 17:24:13 UTC

Good question, some of those appear to be auto-generated but it seems they can be overridden through settings on the server.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14203 - Posted: 10 Dec 2015, 12:48:55 UTC

A lot of the content in those XML files appears to be auto-generated, as modifying it just results in it being overwritten. Hopefully it's something you can resolve on the server.

funkydude
Send message
Joined: 23 Dec 13
Posts: 275
Credit: 2,478,281
RAC: 0
Message 14226 - Posted: 22 Dec 2015, 16:47:40 UTC

Did you resolve the XML links?

Hopefully you can make the HTTPS route official soon. The problem is I've updated to the latest beta of BOINC, and they've decided to make the "this project is using the wrong URL" a red warning in the event log, and a constant repeating message in the notices section.

Unfortunately the current stable release of BOINC uses an old insecure version of OpenSSL, hopefully they will release a new stable version soon. But if they do, this beta phase will become annoying to more people.

Profile Janus
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 16 Jun 04
Posts: 4461
Credit: 2,094,806
RAC: 0
Message 14234 - Posted: 27 Dec 2015, 16:36:55 UTC

Hehe nope, not yet - got hit by a severe case of Xmas and New Year's holiday celebrations, will probably recover by 4th of Jan

1 · 2 · Next
Post to thread

Message boards : Server backend and mirrors : HTTPS/SSL certificate updated