Message boards :
Server backend and mirrors :
HTTPS/SSL certificate updated
Message board moderation
Author | Message |
---|---|
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
We've updated the server's SSL certificate. You can now experimentally access BURP over an encrypted connection by using this URL: https://burp.renderfarming.net Please try it out and throw a post in this thread if you have any issues with the secure site in your favourite browser. Eventually we may switch to use https for all logged in users. |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
Our SSL certificate has been updated |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
All the things currently wrong: [*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know [*]The front page has mixed http content. [*]You don't have a cypher priority, or the list is flawed. [*]You have insecure cyphers as an option that should be removed e.g. TLS_ECDH_anon_* and TLS_RSA_WITH_DES_CBC_SHA. [*]You have SSL3 enabled making SSL downgrade attacks more effective.
|
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Another flaw: The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page. I realize this isn't high priority but these things should be on the to-do. The cypher list change is really easy though, just follow the guide I linked, 5 minutes and done. |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
[*]You updated the certificate but used SHA1 which is being phased out as it's considered insecure. You should consider updating again using SHA256. Article: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know Noted for 2015 cert upgrade [*]The front page has mixed http content. Not just the frontpage - there is a bunch of BOINC related issues with regard to icons etc. This is something that is on the radar and a patch will be sent upstream once it is sorted out. [*]You don't have a cypher priority, or the list is flawed. Indeed, thanks for the heads-up! This was hopefully fixed about an hour ago. There is no point in allowing people to negotiate an unsafe cipher - then they may as well use HTTP. The login page seems hardcoded to redirect to the HTTP version of the website. So if you navigate to the HTTPS version via a bookmark, log in, then you'll be forwarded to an insecure page. Noted |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Nice! |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Is it intended that when I try to connect the project in the BOINC client using the https link that it seems to fall back to http? |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
Yes, although the plan is to eventually support both |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Yes, although the plan is to eventually support both What is it that needs changed to be able to support it? I'm using it for other projects without issues. I thought it was a simple case of just having your server support TLS connections. |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
The server certificate was updated; this time with slightly stronger keys. More SSL experiments coming up in the next year or so - in particular the part of the frontend that handles the BOINC connections should now be compatible with encrypted connections, they are just not turned on yet. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
The server certificate was updated; this time with slightly stronger keys. Do you know if we will need to re-add the project in BOINC when this is enabled? |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
You can but it will not be necessary. The status on that is that encrypted scheduler requests have now been enabled for a small group of test users. If you want to be part of the early tests (now) then you can find the file called "client_state.xml" in your BOINC directory. Stop BOINC, open the file and add an "s" to "http" in the scheduler URL for BURP. Ask BOINC to restart. This encrypts scheduler requests. For now (and until https is enabled on everything for everyone) you will get this notice if you also change the master URL in "account_burp.renderfarming.net.xml": 24-11-2015 16:22:27 | BURP | You used the wrong URL for this project. When convenient, remove this project, then add http://burp.renderfarming.net/ If you don't like that notice you can skip that part. If you do both then data is encrypted on everything but file downloads (which are publicly cacheable on proxies anyways and are intentionally not encrypted). Post back with any issues if you run into anything. ps. Some of the gallery content on the site is currently not HTTPS due to the caching system being offline. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Will file downloads ever also be encrypted? When I clicked reply to this thread whilst browsing in https, logged in securely, I was forwarded to the http version of the site. Same thing happens when I view a project in server status and click the "frames" page. |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
Will file downloads ever also be encrypted? No. Ever is such a strong word, though. Currently there are no intentions to do that, no. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Same thing when browsing to account settings and logging in. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Would you be able to change/fix the downloaded XML files to point to https forum links/images/etc? e.g. image URLs in sched_reply_burp.renderfarming.net.xml website links in master_burp.renderfarming.net.xml |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
Good question, some of those appear to be auto-generated but it seems they can be overridden through settings on the server. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
A lot of the content in those XML files appears to be auto-generated, as modifying it just results in it being overwritten. Hopefully it's something you can resolve on the server. |
funkydude Send message Joined: 23 Dec 13 Posts: 275 Credit: 2,478,281 RAC: 0 |
Did you resolve the XML links? Hopefully you can make the HTTPS route official soon. The problem is I've updated to the latest beta of BOINC, and they've decided to make the "this project is using the wrong URL" a red warning in the event log, and a constant repeating message in the notices section. Unfortunately the current stable release of BOINC uses an old insecure version of OpenSSL, hopefully they will release a new stable version soon. But if they do, this beta phase will become annoying to more people. |
![]() Volunteer moderator Project administrator ![]() Send message Joined: 16 Jun 04 Posts: 4574 Credit: 2,100,463 RAC: 8 |
Hehe nope, not yet - got hit by a severe case of Xmas and New Year's holiday celebrations, will probably recover by 4th of Jan |