Thread 'Passwords & Security'

Message boards : Web interfaces : Passwords & Security
Message board moderation

To post messages, you must log in.

AuthorMessage
post

Send message
Joined: 20 Dec 05
Posts: 6
United States
Message 2110 - Posted: 20 Dec 2005, 13:41:52 UTC

I would really appreciate it if you provide the option (if not actually force) a secure connection for the entering/transmitting of passwords.

ID: 2110 · Report as offensive
Bill Michael

Send message
Joined: 30 Aug 05
Posts: 297
Message 2113 - Posted: 20 Dec 2005, 13:54:57 UTC

HTTPS has been added to BOINC Manager recently, and a couple of projects support it for various things. More will probably do so later.

But I have to ask - who cares? What can someone do who gets your project password? Change your preferences, I suppose, or change your password (which you could easily recover with 'lost my password'), or possibly even "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it. They can't use that password to access anything on your computer, it's a one-way "to the server" path.

ID: 2113 · Report as offensive
post

Send message
Joined: 20 Dec 05
Posts: 6
United States
Message 2115 - Posted: 20 Dec 2005, 14:26:36 UTC - in response to Message 2113.  

HTTPS has been added to BOINC Manager recently, and a couple of projects support it for various things. More will probably do so later.



First - It's more than the BOINC Manager; any projects website does not support https. Perhaps I was misinformed, but I was told that it isn't up to the projects, it is a BOINC issue.

But I have to ask - who cares?


Second - uh, I do. (thought that was obvious). It is just good practice for passwords to be sent encrypted.

What can someone do who gets your project password? Change your preferences, I suppose, or change your password (which you could easily recover with 'lost my password'), or possibly even "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it. They can't use that password to access anything on your computer, it's a one-way "to the server" path.



Third - Using this reasoning why have passwords for this at all? Why not just use your e-mail address?

What can someone do who gets your e-mail address? Change your preferences, I suppose, or change your e-mail address / "hijack" your account, which could be corrected by notifying the project that someone had done so. Basically cause you some trouble, but that's about it.

Fourth - Though it is not a good idea many people use a password for multiple accounts (accessing e-mail, logging on to their computer, accessing bank accounts, etc.).


ID: 2115 · Report as offensive
Bill Michael

Send message
Joined: 30 Aug 05
Posts: 297
Message 2117 - Posted: 20 Dec 2005, 14:45:54 UTC - in response to Message 2115.  
Last modified: 20 Dec 2005, 14:51:28 UTC

First - It's more than the BOINC Manager; any projects website does not support https. Perhaps I was misinformed, but I was told that it isn't up to the projects, it is a BOINC issue.


Well, the person at CPDN may not be aware of every project out there, or be watching the code stream for BOINC. But a Japanese BOINC project had some requirement for using HTTPS, and was having to create their own version of the BOINC client to do that, then redo the changes with each new BOINC release. So the support for HTTPS was added to the standard client in V5. (Maybe 4.72? I don't remember, would have to go look.) There is also another project that is not "public" yet, that I know next-to-nothing about, that I've been told is using HTTPS for every transaction with their servers.

I _personally_ don't see it as a high-priority issue, but I certainly wouldn't fight _against_ it if every project started being more careful with the passwords. If it's a high priority item to you, you're doing exactly the right thing, bringing it up both here and at the projects that would need to support it.

You can get more information on when/what has already been done from the developer mailing list archives available on this site, or from the "checkin notes" for each change that is made, also available here.

EDIT:: Off-topic stupid question, from backtracking your CPDN thread reference... how on earth do you have SIX CPDN Sulphur WUs on one PC??? I certainly hope 4 of those are "ghosts"...

ID: 2117 · Report as offensive
post

Send message
Joined: 20 Dec 05
Posts: 6
United States
Message 2119 - Posted: 20 Dec 2005, 15:09:08 UTC - in response to Message 2117.  


Well, the person at CPDN may not be aware of every project out there, or be watching the code stream for BOINC. But a Japanese BOINC project had some requirement for using HTTPS, and was having to create their own version of the BOINC client to do that, then redo the changes with each new BOINC release. So the support for HTTPS was added to the standard client in V5.


I'm gald that the newest version supports https. It would still be nice if it required https.


EDIT:: Off-topic stupid question, from backtracking your CPDN thread reference... how on earth do you have SIX CPDN Sulphur WUs on one PC??? I certainly hope 4 of those are "ghosts"...

Where do you see that I have SIX CPDN Sulphur WUs on one PC?
ID: 2119 · Report as offensive
Bill Michael

Send message
Joined: 30 Aug 05
Posts: 297
Message 2121 - Posted: 20 Dec 2005, 15:19:52 UTC - in response to Message 2119.  

Where do you see that I have SIX CPDN Sulphur WUs on one PC?


here

ID: 2121 · Report as offensive
Paul D. Buck

Send message
Joined: 29 Aug 05
Posts: 225
Message 2128 - Posted: 20 Dec 2005, 16:18:07 UTC - in response to Message 2119.  

I'm gald that the newest version supports https. It would still be nice if it required https.

If this is a big issue for you, you may wish to search for, and run, only those projects that do use https for all transactions.

Then let the projects know that this is an issue for you. But, it is not likely that this will change anytime in the near term as the risks are low. Though, the use of https is now being used in the latest versions for more actions, and I do believe with the 5.x versions now all password transactions *ARE* done with https ...
ID: 2128 · Report as offensive
Lee Carre

Send message
Joined: 8 Sep 05
Posts: 74
Channel Islands
Message 2171 - Posted: 22 Dec 2005, 18:17:16 UTC

you could always use
netstat

in windows, and look for boinc using "HTTPS" or port 433
or use a packet sniffer to see exactly what it's doing

but there are drawbacks for HTTPS, it's not cacheable, a proxy won't store any HTTPS data, thus the benifits are lost and things will appear to be much slower using HTTPS rather than HTTP
ID: 2171 · Report as offensive

Message boards : Web interfaces : Passwords & Security

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.