We've updated the server's SSL certificate. You can now experimentally access BURP over an encrypted connection by using this URL:
https://burp.renderfarming.net

Please try it out and throw a post in this thread if you have any issues with the secure site in your favourite browser. Eventually we may switch to use https for all logged in users.

Our SSL certificate has been updated

All the things currently wrong:

[*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
[*]The front page has mixed http content.
[*]You don't have a cypher priority, or the list is flawed.
[*]You have insecure cyphers as an option that should be removed e.g. TLS_ECDH_anon_* and TLS_RSA_WITH_DES_CBC_SHA.
[*]You have SSL3 enabled making SSL downgrade attacks more effective.

You can build a strong cypher priority by following this guide: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Here is a general all round guide worth reading: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf

Overall you can see all the issues with your implementation summarized on this test page: https://www.ssllabs.com/ssltest/analyze.html?d=burp.renderfarming.net&s=78.143.110.10

Another flaw:
The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page.

I realize this isn't high priority but these things should be on the to-do. The cypher list change is really easy though, just follow the guide I linked, 5 minutes and done.

[*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

Noted for 2015 cert upgrade

[*]The front page has mixed http content.

Not just the frontpage - there is a bunch of BOINC related issues with regard to icons etc. This is something that is on the radar and a patch will be sent upstream once it is sorted out.

[*]You don't have a cypher priority, or the list is flawed.
[*]You have insecure cyphers as an option that should be removed e.g. TLS_ECDH_anon_* and TLS_RSA_WITH_DES_CBC_SHA.
[*]You have SSL3 enabled making SSL downgrade attacks more effective.

Indeed, thanks for the heads-up! This was hopefully fixed about an hour ago. There is no point in allowing people to negotiate an unsafe cipher - then they may as well use HTTP.

The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page.

Noted

Nice!

Is it intended that when I try to connect the project in the BOINC client using the https link that it seems to fall back to http?

Yes, although the plan is to eventually support both

Yes, although the plan is to eventually support both

What is it that needs changed to be able to support it?

I'm using it for other projects without issues. I thought it was a simple case of just having your server support TLS connections.

The server certificate was updated; this time with slightly stronger keys.

More SSL experiments coming up in the next year or so - in particular the part of the frontend that handles the BOINC connections should now be compatible with encrypted connections, they are just not turned on yet.

The server certificate was updated; this time with slightly stronger keys.

More SSL experiments coming up in the next year or so - in particular the part of the frontend that handles the BOINC connections should now be compatible with encrypted connections, they are just not turned on yet.

Do you know if we will need to re-add the project in BOINC when this is enabled?

You can but it will not be necessary.

The status on that is that encrypted scheduler requests have now been enabled for a small group of test users.

If you want to be part of the early tests (now) then you can find the file called "client_state.xml" in your BOINC directory. Stop BOINC, open the file and add an "s" to "http" in the scheduler URL for BURP. Ask BOINC to restart. This encrypts scheduler requests.

For now (and until https is enabled on everything for everyone) you will get this notice if you also change the master URL in "account_burp.renderfarming.net.xml":
24-11-2015 16:22:27 | BURP | You used the wrong URL for this project. When convenient, remove this project, then add http://burp.renderfarming.net/
If you don't like that notice you can skip that part.

If you do both then data is encrypted on everything but file downloads (which are publicly cacheable on proxies anyways and are intentionally not encrypted).

Post back with any issues if you run into anything.

ps. Some of the gallery content on the site is currently not HTTPS due to the caching system being offline.

Will file downloads ever also be encrypted?

When I clicked reply to this thread whilst browsing in https, logged in securely, I was forwarded to the http version of the site.

Same thing happens when I view a project in server status and click the "frames" page.

Will file downloads ever also be encrypted?

No. Ever is such a strong word, though. Currently there are no intentions to do that, no.

Same thing when browsing to account settings and logging in.

Would you be able to change/fix the downloaded XML files to point to https forum links/images/etc?

e.g. image URLs in sched_reply_burp.renderfarming.net.xml
website links in master_burp.renderfarming.net.xml

Good question, some of those appear to be auto-generated but it seems they can be overridden through settings on the server.

A lot of the content in those XML files appears to be auto-generated, as modifying it just results in it being overwritten. Hopefully it's something you can resolve on the server.

Did you resolve the XML links?

Hopefully you can make the HTTPS route official soon. The problem is I've updated to the latest beta of BOINC, and they've decided to make the "this project is using the wrong URL" a red warning in the event log, and a constant repeating message in the notices section.

Unfortunately the current stable release of BOINC uses an old insecure version of OpenSSL, hopefully they will release a new stable version soon. But if they do, this beta phase will become annoying to more people.

Hehe nope, not yet - got hit by a severe case of Xmas and New Year's holiday celebrations, will probably recover by 4th of Jan