Posts by Necroman

1) Message boards : Web interfaces : Any plans to upgrade BOINC website SSL algorithm away from SHA-1? (Message 75201)
Posted 11 Jan 2017 by Necroman
Post:
Thanks for updating the certificate to use SHA256 as the hashing function!
But any info about updating the SSL/TLS settings? Right now it supports some obsolete and insecure cipher suites, see my previous article:
https://boinc.berkeley.edu/dev/forum_thread.php?id=11261
2) Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu, 2016 (Message 73448)
Posted 19 Oct 2016 by Necroman
Post:
Hi,

following the discussion that happened one year ago:

The website boinc.berkeley.edu still uses SHA1 domain certificate.
Certificates with SHA1 signatures are not considered secure since January 2016 and will be marked as untrusted in Chrome/Firefox/Opera starting January 2017, see this Mozilla Blogpost for details.

The TLS configuration is also obsolete and needs some tuning, especially removing support for old and insecure cipher suites is necessary.

Please make sure the web uses SHA2 domain certificate before end of this year, otherwise users won't be able to access your site.
Note you can get free trusted domain certificates from Let's Encrypt CA.

Thanks
3) Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu (Message 64740)
Posted 7 Oct 2015 by Necroman
Post:
Justeminus, it only causes a panic in Chrome. Not in any of the other browser families out there. Doesn't that make you wonder why Chrome is panicking over nothing?

Not just in Chrome. In Opera it shows no green lock that users associate with security. In IE11 and Edge the same, no lock indicator of secure site.
Google and Chrome is here again the most proactive, marking SHA1 as insecure starting in Chrome 46 as far as I know. And if you check this, Chrome even plans sometime in year or two marking all HTTP traffic as insecure.

HTTPS is not just convenience, it's about trust, especially on sites where users use name and passwords for login. Crazy number of users use the same password on most of their sites and capturing login credentials on one site can compromise lot of other online accounts.
And another benefit of having HTTPS is the future support for HTTP/2 protocol, that works only via HTTPS. Apache already supports HTTP/2, nginx should have full support at the end of this year.

But this discussion goes beyond my initial point. In my opinion sites (not just) with login should use properly deployed HTTPS-only, ideally with HSTS, with domain certificates that user can trust on first sight.
4) Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu (Message 64714)
Posted 6 Oct 2015 by Necroman
Post:
If I understand it correctly, UCB is using certificates from InCommon with some kind of yearly subscription fee.
In that case is should be easy to reissue new certificate for boinc.berkeley.edu for free with SHA256 hash algorithm instead of current "insecure" SHA1, that causes the red strike-through in Chrome, because it expires after 2016.
Some details about the SHA1 certificates deprecation is here:
https://wiki.cac.washington.edu/display/infra/Transition+to+InCommon+SSL+Certificates+Signed+with+SHA-2
5) Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu (Message 64699)
Posted 5 Oct 2015 by Necroman
Post:
Domain certificates can be as cheap as zero $ / year
http://www.startssl.com/
Or soon also on Let's Encrypt:
https://letsencrypt.org/

Or just few $ per year
https://www.ssls.com/ssl-certificates/comodo-positivessl

But it depends, if you want switch to different CA or keep using the current one. There might be some apps or webs using certificate/public key pinning and these might stop working after such change.

At the end we can probably all agree, that this red HTTPS that every user see right now, is not good for the project:



Also regarding the B rating, it can be easily changed to A just by updating the list of supported cipher suites. The recommended list of cipher suites can be found on the Mozilla web in the link above.
6) Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu (Message 64687)
Posted 5 Oct 2015 by Necroman
Post:
Hi,

I've just noticed that the boinc.berkeley.edu site uses domain certificate with weak SHA1 signature and it's expiring after 2016. This effectively leads to "red untrusted strigethrough symbol" in the Chrome browser and some other browsers as well.

This should be really looked into, because this takes away any trust by possible new BOINC volunteers.

Also the HTTPS/TLS settings is not optimal. The server supports some very weak cipher suites like TLS_RSA_WITH_DES_CBC_SHA and also weak RC4 suites and lot of unnecessary and slow suites as well like SEED and CAMELLIA.

I'd highly recommend, if possible, updating the Apache and OpenSSL libs to current version for best possible security and performance, which will eventually lead to more volunteers willing to help with BOINC scientific project.

For more details see:
https://www.ssllabs.com/ssltest/analyze.html?d=boinc.berkeley.edu
https://wiki.mozilla.org/Security/Server_Side_TLS

Thanks




Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.