I was compiling a list of projects and figured it'd be interesting to scan the SSL certificates of all (most) BOINC projects.

Projects with F/T gradings or no SSL support at all need to step their game up ASAP.

I used letsencrypt on my own website & received an A+ rating. It was free and took an hour max to setup. https://letsencrypt.org/

Highest rated projects (A):
YOYO: https://www.ssllabs.com/ssltest/analyze.html?d=www.rechenkraft.net
YAFU: https://www.ssllabs.com/ssltest/analyze.html?d=yafu.myfirewall.org
Moowrap: https://www.ssllabs.com/ssltest/analyze.html?d=moowrap.net
Milkyway@Home: https://www.ssllabs.com/ssltest/analyze.html?d=milkyway.cs.rpi.edu

2nd highest (A-):
BURP (A for IPv4, No SSL for IPV6?): https://www.ssllabs.com/ssltest/analyze.html?d=burp.renderfarming.net
World Community Grid: https://www.ssllabs.com/ssltest/analyze.html?d=www.worldcommunitygrid.org
Asteroids@Home: https://www.ssllabs.com/ssltest/analyze.html?d=asteroidsathome.net

3rd place (B):
PrimeGrid: https://www.ssllabs.com/ssltest/analyze.html?d=www.primegrid.com
SETI@Home: https://www.ssllabs.com/ssltest/analyze.html?d=setiathome.berkeley.edu
Mindmodeling: https://www.ssllabs.com/ssltest/analyze.html?d=mindmodeling.org

edit: https://boinc.berkeley.edu : https://www.ssllabs.com/ssltest/analyze.html?d=boinc.berkeley.edu

Taking a turn for the worse (C):
GPUGRID: https://www.ssllabs.com/ssltest/analyze.html?d=www.gpugrid.net
Rosetta@Home: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.bakerlab.org
Skynet Pogs: https://www.ssllabs.com/ssltest/analyze.html?d=pogs.theskynet.org

Failure (F):
Collatz: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.thesonntags.com

Broken/Misconfigured tier (T):
Distributed data mining: https://www.ssllabs.com/ssltest/analyze.html?d=www.distributeddatamining.org
LHC@Home Classic: https://www.ssllabs.com/ssltest/analyze.html?d=lhcathomeclassic.cern.ch
Leiden@Home: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.gorlaeus.net
vLHC: https://www.ssllabs.com/ssltest/analyze.html?d=lhcathome2.cern.ch
Malariacontrol: https://www.ssllabs.com/ssltest/analyze.html?d=www.malariacontrol.net
NumbersField: https://www.ssllabs.com/ssltest/analyze.html?d=numberfields.asu.edu
Atlas@Home: https://www.ssllabs.com/ssltest/analyze.html?d=atlasathome.cern.ch

NO SSL SUPPORT:
Gridcoin Finance: https://www.ssllabs.com/ssltest/analyze.html?d=finance.gridcoin.us
POEM@Home: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=https%3A%2F%2Fboinc.fzk.de
Einstein@Home: https://www.ssllabs.com/ssltest/analyze.html?d=einstein.phys.uwm.edu
CSG: https://www.ssllabs.com/ssltest/analyze.html?d=csgrid.org
Find@Home: https://www.ssllabs.com/ssltest/analyze.html?d=findah.ucd.ie
Cosmology@Home: https://www.ssllabs.com/ssltest/analyze.html?d=www.cosmologyathome.org
Enigma@Home: https://www.ssllabs.com/ssltest/analyze.html?d=www.enigmaathome.net
BitcoinUtopia: https://www.ssllabs.com/ssltest/analyze.html?d=www.bitcoinutopia.net
SAT@Home: https://www.ssllabs.com/ssltest/analyze.html?d=sat.isa.ru

I was compiling a list of projects and figured it'd be interesting to scan the SSL certificates of all (most) BOINC projects.

Projects with F/T gradings or no SSL support at all need to step their game up ASAP.

... and if they don't, what exactly will happen?

If you really want to be helpful, post it in each forum.

I used letsencrypt on my own website & received an A+ rating. It was free and took an hour max to setup. https://letsencrypt.org/

Ah yes they have been in the news lately. Misuse of letsencrypt

When you say no SSL support what exactly do you mean, as i know at least one of these does support SSL as i know it. I suggest you check again.

I was compiling a list of projects and figured it'd be interesting to scan the SSL certificates of all (most) BOINC projects.

Projects with F/T gradings or no SSL support at all need to step their game up ASAP.

... and if they don't, what exactly will happen?

If you really want to be helpful, post it in each forum.

Sorry, I didn't mean for that to sound like a threat/ultimatum if it came across that way. What will happen though is that they will continue to risk BOINC users credentials to MITM attacks.

The projects with T gradings have invalid certs (negating their purpose), the projects without SSL are sending user credentials plain text over the internet and the project with the F rating (collatz) is publicly vulnerable to both the POODLE attack and OpenSSL CCS vulnerability (CVE-2014-0224).

You're right, this is a problem solved on an individual project basis - I'll post to project message boards. I'll update this thread with progress & links.

The fact that the issue is so widespread is however a BOINC wide issue. If you login to these projects on public WiFi, someone could easily intercept your plaintext credentials using wireshark. If you use BAM! or another account manager you're likely using the same password for all BOINC accounts & thus 30+ accounts would be compromised instead of 1.

I used letsencrypt on my own website & received an A+ rating. It was free and took an hour max to setup. https://letsencrypt.org/

Ah yes they have been in the news lately. Misuse of letsencrypt

Criminals use a lot of tools that serve legitimate purposes, should we not use encryption tools at all due to negative association? The article you linked to made a good point:

"However, Aas said the certificate ecosystem is not the appropriate mechanism for policing phishing and malware on the Web. CAs do not have sufficient ongoing visibility into sites' content, whereas organizations such as Google and Microsoft have infrastructure in place to identify and analyze every piece of content. "The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines, at least when it comes to DV certificates," Aas wrote in a blog post back in October."

Letsencrypt creates only the very basic padlock icon, the paid CAs can issue the large green bar certificates for extra verification/prevention against phishing. There are some very large companies sponsoring the project of whom I respect.

I doubt that using letsencrypt would affect BOINC's image worse than not utilizing SSL in the first place.

When you say no SSL support what exactly do you mean, as i know at least one of these does support SSL as i know it. I suggest you check again.

Ah, I made a mistake with Einstein@Home https://www.ssllabs.com/ssltest/analyze.html?d=einstein.phys.uwm.edu It actually has an 'A' certificate, apologies.

It's annoying that you can't edit posts after an hour, that mistake is forever locked in place (unless a mod can move it to the A category for me?).

The other projects:
Gridcoin Finance: https://www.ssllabs.com/ssltest/analyze.html?d=finance.gridcoin.us
POEM@Home: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=https%3A%2F%2Fboinc.fzk.de
CSG: https://www.ssllabs.com/ssltest/analyze.html?d=csgrid.org
Find@Home: https://www.ssllabs.com/ssltest/analyze.html?d=findah.ucd.ie
Cosmology@Home: https://www.ssllabs.com/ssltest/analyze.html?d=www.cosmologyathome.org
Enigma@Home: https://www.ssllabs.com/ssltest/analyze.html?d=www.enigmaathome.net
BitcoinUtopia: https://www.ssllabs.com/ssltest/analyze.html?d=www.bitcoinutopia.net
SAT@Home: https://www.ssllabs.com/ssltest/analyze.html?d=sat.isa.ru

The above all return "Assessment failed: Unable to connect to the server" through ssllabs.com and when you try to manually verify using the browser it returns "This site can’t be reached csgrid.org refused to connect. ERR_CONNECTION_REFUSED".

https://www.wormly.com/test_ssl/h/sat.isa.ru/i/83.149.248.46/p/443 returns "Failed to connect to an HTTPS server at 83.149.248.46:443".

https://sslanalyzer.comodoca.com/?url=https%3A%2F%2Fsat.isa.ru returns "Error -16: Connection refused".

Users using "HTTPS Everywhere" may be prevented from navigating to these projects if they avoid unencrypted HTTP traffic.

It's annoying that you can't edit posts after an hour, that mistake is forever locked in place (unless a mod can move it to the A category for me?).

The one hour to edit your post rule was put in after nefarious people went and changed their posts on forums after the fact, to implicate others they didn't like had said certain things they never had, etc. etc.

Moderators and administrators are exempt of that rule, as we're supposed to be unbiased and here for the forums, not for ourselves or our wars with others.

Moderators can only edit their own posts after that hour.
Moderators cannot edit posts made by other people.

Edit: I did forward your thread to David. Perhaps that he feels something has to be done about it.

---

Ask any ye shall receive!

Some of the projects were inaccessible today, and a couple require a min RAC before allowing posting - could maybe email the project admins but I've spent an hour on this already lol.

No SSL:
http://csgrid.org/csg/forum_thread.php?id=2246#6218
https://cryptocointalk.com/topic/11357-gridcoin-finance-project/page-20#entry213962
http://sat.isa.ru/pdsat/forum_thread.php?id=549
http://www.bitcoinutopia.net/bitcoinutopia/forum_thread.php?id=1051
http://www.enigmaathome.net/forum_thread.php?id=787
http://findah.ucd.ie/forum_thread.php?id=295

(Was unable to reach poem@home - it's down again).

F ranking:
http://boinc.thesonntags.com/collatz/forum_thread.php?id=1226&postid=22305#22305

T rankings:
Unable to post to distributed data mining (Needs a min RAC).
Numbersfield looks down.
http://www.malariacontrol.net/forum_thread.php?id=1469
http://boinc.gorlaeus.net/forum_thread.php?id=516
http://atlasathome.cern.ch/forum_thread.php?id=487#4060
http://lhcathome2.cern.ch/vLHCathome/forum_thread.php?id=1794#20276
Unable to post to lhcathomeclassic (needs a min RAC).

C rankings:
https://boinc.bakerlab.org/rosetta/forum_thread.php?id=6823#79952
http://pogs.theskynet.org/pogs/forum_thread.php?id=703#4871
https://www.gpugrid.net/forum_thread.php?id=4296

*bump*

Many of these projects have yet to respond to the SSL threads.

Several of these projects may be up for removal from the Gridcoin whitelist:
https://cryptocointalk.com/topic/29841-discussion-boinc-whitelist-monitoring/page-32#entry220005