I would really appreciate it if you provide the option (if not actually force) a secure connection for the entering/transmitting of passwords.

---

HTTPS has been added to BOINC Manager recently, and a couple of projects support it for various things. More will probably do so later.

But I have to ask - who cares? What can someone do who gets your project password? Change your preferences, I suppose, or change your password (which you could easily recover with 'lost my password'), or possibly even "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it. They can't use that password to access anything on your computer, it's a one-way "to the server" path.

---

HTTPS has been added to BOINC Manager recently, and a couple of projects support it for various things. More will probably do so later.

First - It's more than the BOINC Manager; any projects website does not support https. Perhaps I was misinformed, but I was told that it isn't up to the projects, it is a BOINC issue.

But I have to ask - who cares?

Second - uh, I do. (thought that was obvious). It is just good practice for passwords to be sent encrypted.

What can someone do who gets your project password? Change your preferences, I suppose, or change your password (which you could easily recover with 'lost my password'), or possibly even "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it. They can't use that password to access anything on your computer, it's a one-way "to the server" path.

Third - Using this reasoning why have passwords for this at all? Why not just use your e-mail address?

What can someone do who gets your e-mail address? Change your preferences, I suppose, or change your e-mail address / "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it.

Fourth - Though it is not a good idea many people use a password for multiple accounts (accessing e-mail, logging on to their computer, accessing bank accounts, etc.).

---

First - It's more than the BOINC Manager; any projects website does not support https. Perhaps I was misinformed, but I was told that it isn't up to the projects, it is a BOINC issue.

Well, the person at CPDN may not be aware of every project out there, or be watching the code stream for BOINC. But a Japanese BOINC project had some requirement for using HTTPS, and was having to create their own version of the BOINC client to do that, then redo the changes with each new BOINC release. So the support for HTTPS was added to the standard client in V5. (Maybe 4.72? I don't remember, would have to go look.) There is also another project that is not "public" yet, that I know next-to-nothing about, that I've been told is using HTTPS for every transaction with their servers.

I _personally_ don't see it as a high-priority issue, but I certainly wouldn't fight _against_ it if every project started being more careful with the passwords. If it's a high priority item to you, you're doing exactly the right thing, bringing it up both here and at the projects that would need to support it.

You can get more information on when/what has already been done from the developer mailing list archives available on this site, or from the "checkin notes" for each change that is made, also available here.

EDIT:: Off-topic stupid question, from backtracking your CPDN thread reference... how on earth do you have SIX CPDN Sulphur WUs on one PC??? I certainly hope 4 of those are "ghosts"...

---

Well, the person at CPDN may not be aware of every project out there, or be watching the code stream for BOINC. But a Japanese BOINC project had some requirement for using HTTPS, and was having to create their own version of the BOINC client to do that, then redo the changes with each new BOINC release. So the support for HTTPS was added to the standard client in V5.

I'm gald that the newest version supports https. It would still be nice if it required https.

EDIT:: Off-topic stupid question, from backtracking your CPDN thread reference... how on earth do you have SIX CPDN Sulphur WUs on one PC??? I certainly hope 4 of those are "ghosts"...

Where do you see that I have SIX CPDN Sulphur WUs on one PC?

---

Where do you see that I have SIX CPDN Sulphur WUs on one PC?

here

---

I'm gald that the newest version supports https. It would still be nice if it required https.

If this is a big issue for you, you may wish to search for, and run, only those projects that do use https for all transactions.

Then let the projects know that this is an issue for you. But, it is not likely that this will change anytime in the near term as the risks are low. Though, the use of https is now being used in the latest versions for more actions, and I do believe with the 5.x versions now all password transactions *ARE* done with https ...

---

you could always use

netstat

in windows, and look for boinc using "HTTPS" or port 433
or use a packet sniffer to see exactly what it's doing

but there are drawbacks for HTTPS, it's not cacheable, a proxy won't store any HTTPS data, thus the benifits are lost and things will appear to be much slower using HTTPS rather than HTTP