Test project Albert@Home now uses HTTPS

Bikeman (Heinz-Bernd Eggenstein)
Bikeman (Heinz-...
Moderator
Joined: 28 Aug 06
Posts: 3,522
Credit: 703,431,111
RAC: 462,642
Topic 196937

Dear volunteers

We have switched our test project, Albert@Home, to use HTTPS instead of plain HTTP. This applies not just to the Web pages, but also to the communication between the BOINC client and the project site.

We'd like to use this as a test to see if this would cause any problems for volunteers (proxies, (personal) firewalls, etc). If you have any problems (unable to connect, unable to get tasks, warning messages while browsing the site.....anything that is unusual), you might not be able to post in the forum on Albert :-), so please feel free to report them here.

Cheers
HB

Jord
Joined: 26 Jan 05
Posts: 2,952
Credit: 5,893,653
RAC: 450

Test project Albert@Home now uses HTTPS

Are you sure that everything is on HTTPS?

5/3/2013 9:23:15 PM | Albert@Home | update requested by user
5/3/2013 9:23:19 PM | Albert@Home | [sched_op] Starting scheduler request
5/3/2013 9:23:19 PM | Albert@Home | Sending scheduler request: Requested by user.
5/3/2013 9:23:19 PM | Albert@Home | Not requesting tasks: "no new tasks" requested via Manager
5/3/2013 9:23:19 PM | Albert@Home | [sched_op] CPU work request: 0.00 seconds; 0.00 devices
5/3/2013 9:23:19 PM | Albert@Home | [sched_op] ATI work request: 0.00 seconds; 0.00 devices
5/3/2013 9:23:21 PM | Albert@Home | Scheduler request completed
5/3/2013 9:23:21 PM | Albert@Home | [sched_op] Server version 700
5/3/2013 9:23:21 PM | Albert@Home | Project requested delay of 60 seconds
5/3/2013 9:23:21 PM | Albert@Home | [sched_op] Deferring communication for 1 min 0 sec
5/3/2013 9:23:21 PM | Albert@Home | [sched_op] Reason: requested by project
5/3/2013 9:23:24 PM | Albert@Home | Started download of EatH_mastercat_1344952579.txt
5/3/2013 9:23:24 PM | Albert@Home | [file_xfer] URL: http://albert.phys.uwm.edu/EatH_mastercat_1344952579.txt
5/3/2013 9:23:25 PM | Albert@Home | [file_xfer] http op done; retval 0 (Success)
5/3/2013 9:23:25 PM | Albert@Home | [file_xfer] file transfer status 0 (Success)
5/3/2013 9:23:25 PM | Albert@Home | Finished download of EatH_mastercat_1344952579.txt
5/3/2013 9:23:25 PM | Albert@Home | [file_xfer] Throughput 9278 bytes/sec

Edit: Ah I see that you switched back to HTTP.

Bikeman (Heinz-Bernd Eggenstein)
Bikeman (Heinz-...
Moderator
Joined: 28 Aug 06
Posts: 3,522
Credit: 703,431,111
RAC: 462,642

Indeed, we are now back to

Indeed, we are now back to http, but the plan is still to go on HTTPS with a certificate that can be verified by the boinc client, soon.

Cheers
HB

MarkJ
MarkJ
Joined: 28 Feb 08
Posts: 437
Credit: 139,002,861
RAC: 2

Why the push for https? I

Why the push for https? I presume better security.

One down-side to this is most proxy servers work as pass thru with https which means they won't be caching any more.

Sebastian M. Bobrecki
Sebastian M. Bo...
Joined: 20 Feb 05
Posts: 63
Credit: 1,529,600,785
RAC: 112

I think it would be best to

I think it would be best to use https in communication with the site, scheduler, upload_handler and other elements which exchange sensitive data (logins, passwords, keys, etc...). And leave http for downloads, to allow some sort of caching (app binaries, libraries, some common data files, etc...) and to avoid servers overload.

Patrick
Patrick
Joined: 2 Aug 12
Posts: 70
Credit: 2,358,155
RAC: 0

If you watch on the following

If you watch on the following link it should be clear.
There are security problems from time to time(on .edu domains).

So https should be a good choice hopefully.

http://tech.mit.edu/V132/N63/hack.html

MarkJ
MarkJ
Joined: 28 Feb 08
Posts: 437
Credit: 139,002,861
RAC: 2

RE: I think it would be

Quote:
I think it would be best to use https in communication with the site, scheduler, upload_handler and other elements which exchange sensitive data (logins, passwords, keys, etc...). And leave http for downloads, to allow some sort of caching (app binaries, libraries, some common data files, etc...) and to avoid servers overload.

I'd agree with this. The main place would be scheduler contacts, which should use https. The uploads and downloads can remain as http.

Another place you might want to do it is when logging onto the website. Use https for the logon screen and the rest of the site can use http.

Patrick
Patrick
Joined: 2 Aug 12
Posts: 70
Credit: 2,358,155
RAC: 0

And i agree with you. :)

And i agree with you. :)

Sebastian M. Bobrecki
Sebastian M. Bo...
Joined: 20 Feb 05
Posts: 63
Credit: 1,529,600,785
RAC: 112

Account key is inside the

Account key is inside the cookies therefore access to all websites should be secured. I am not sure but it's possible that account key is also sent in the request to upload_handler. That's why I wrote about this before but this needs to be verified.

Bikeman (Heinz-Bernd Eggenstein)
Bikeman (Heinz-...
Moderator
Joined: 28 Aug 06
Posts: 3,522
Credit: 703,431,111
RAC: 462,642

RE: Account key is inside

Quote:
Account key is inside the cookies therefore access to all websites should be secured. I am not sure but it's possible that account key is also sent in the request to upload_handler. That's why I wrote about this before but this needs to be verified.

Indeed. It's not optimal to just secure the logon page and then carry on in http. See this page http://blog.httpwatch.com/2011/01/28/top-7-myths-about-https/ (Myth #1 ) if it isn't already clear from the previous message.

Cheers
HB

Andrew Dicker
Andrew Dicker
Joined: 6 Apr 13
Posts: 18
Credit: 90,041,313
RAC: 0

Is this under testing

Is this under testing again?

11/07/2013 9:08:53 AM | Albert@Home | Scheduler request failed: Peer certificate cannot be authenticated with given CA certificates

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.