Yes, my concern is not the website. It's the default way we connect the first time to a project, using BOINC/HTTP - that makes a MITM trivial. If the master URL (and the one in BOINC) was https://einsteinathome.org an attacker needs to acquire a valid cert for einsteinathome.org.
We tried to change the MASTER_URL in the project configuration once. But when we did this, even with just changing from http to https all clients already attached to the project got a message saying that the URL of the project has changed and they should detach and re-attach. This is something we didn't want to enforce on all the existing users.
We are working on a system that allows for testing a series of configuration changes that would avoid these messages, but this work is still in progress.
Yes, my concern is not the website. It's the default way we connect the first time to a project, using BOINC/HTTP - that makes a MITM trivial. If the master URL (and the one in BOINC) was https://einsteinathome.org an attacker needs to acquire a valid cert for einsteinathome.org.
It also means that if you use the exclude command in a cc_config.xml file you MUST use the http prefix instead of the https prefix. It causes problems for those with multiple gpu's trying to run multiple projects on multiple gpu's.
The join now instructions say
)
The join now instructions say to join:
https://einsteinathome.org\
but the URL embedded in BOINC is http://einstein.phys.uwm.edu
Can we switch the default URL boinc uses to https://einsteinathome.org ? Thanks!
Bryan wrote: The join now
)
Both links go directly to my https://einsteinathome.org webpage.
Proud member of the Old Farts Association
Yes, my concern is not the
)
Yes, my concern is not the website. It's the default way we connect the first time to a project, using BOINC/HTTP - that makes a MITM trivial. If the master URL (and the one in BOINC) was https://einsteinathome.org an attacker needs to acquire a valid cert for einsteinathome.org.
We tried to change the
)
We tried to change the MASTER_URL in the project configuration once. But when we did this, even with just changing from http to https all clients already attached to the project got a message saying that the URL of the project has changed and they should detach and re-attach. This is something we didn't want to enforce on all the existing users.
We are working on a system that allows for testing a series of configuration changes that would avoid these messages, but this work is still in progress.
BM
Awesome, if I can help test
)
Awesome, if I can help test those changes I'd be happy to!
Another change that can help just landed - https://github.com/BOINC/boinc/commit/e4c6319b1c224bc64294729a76606e0b79c99104 (Although I thought a similar fix was already in). Will follow up when it's in a released BOINC.
Bryan wrote: Yes, my concern
)
It also means that if you use the exclude command in a cc_config.xml file you MUST use the http prefix instead of the https prefix. It causes problems for those with multiple gpu's trying to run multiple projects on multiple gpu's.
The Windows version 7.6.20
)
The Windows version 7.6.20 should make the http->https seamless - but that might only work if you keep the same urls.
Mac/Linux users likely still have to do the detach/re-attach dance.