Thread 'Any plans to upgrade BOINC website SSL algorithm away from SHA-1?'

Message boards : Web interfaces : Any plans to upgrade BOINC website SSL algorithm away from SHA-1?
Message board moderation

To post messages, you must log in.

AuthorMessage
Jazzop

Send message
Joined: 19 Dec 06
Posts: 90
United States
Message 75100 - Posted: 4 Jan 2017, 18:33:05 UTC

SHA-1 is marked for death by many industry giants like G**gle and Mozilla, which will impact many casual users who just trust whatever their browsers tell them is safe/unsafe. In my case, organizational networking/security policy is soon going to block SHA-1 except for an administrator-maintained whitelist, which means no user-added exceptions.

A search for "SHA-1" in these forums only brought up one post in a SETI thread, so I wonder if this is even on the radar for the folks who maintain this website. Perhaps the *.berkeley.edu TLD has some bureacratic baggage that the BOINC department can't control?
ID: 75100 · Report as offensive
ChristianB
Volunteer developer
Volunteer tester

Send message
Joined: 4 Jul 12
Posts: 321
Germany
Message 75102 - Posted: 4 Jan 2017, 19:16:03 UTC

There is a recent post from David Anderson that he is aware of the issue but as you said there is some level of bureaucracy involved which I guess means nagging people until you get the thing you want.
ID: 75102 · Report as offensive
Necroman

Send message
Joined: 29 Aug 10
Posts: 8
Czech Republic
Message 75201 - Posted: 11 Jan 2017, 14:58:49 UTC - in response to Message 75102.  

Thanks for updating the certificate to use SHA256 as the hashing function!
But any info about updating the SSL/TLS settings? Right now it supports some obsolete and insecure cipher suites, see my previous article:
https://boinc.berkeley.edu/dev/forum_thread.php?id=11261
ID: 75201 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15560
Netherlands
Message 75221 - Posted: 12 Jan 2017, 17:06:33 UTC - in response to Message 75201.  

It took quite some convincing to get Berkeley thus far to get those certificates, especially for Seti@Home. There they also want to change the downloads to HTTPS but lack the necessary certificates for that, so a new fight ensues.
ID: 75221 · Report as offensive
ChristianB
Volunteer developer
Volunteer tester

Send message
Joined: 4 Jul 12
Posts: 321
Germany
Message 75269 - Posted: 13 Jan 2017, 10:59:56 UTC

It seems the only problem with boinc.berkeley.edu configuration is support of the RC4 cipher. If that gets disabled the ssllabs grade should be an A. Which is fine in my opinion.
ID: 75269 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15560
Netherlands
Message 75271 - Posted: 13 Jan 2017, 11:17:34 UTC - in response to Message 75269.  

Isn't that to make sure older Android/Windows versions can still get onto these forums?
ID: 75271 · Report as offensive
ChristianB
Volunteer developer
Volunteer tester

Send message
Joined: 4 Jul 12
Posts: 321
Germany
Message 75280 - Posted: 13 Jan 2017, 13:17:34 UTC

According to a CloudFlare Blog article (2 years old) "older Android/Windows" means in this case:

  • "candy bar" style phones (Nokia 6120 classic, Lemon T109, Sony Ericscon K310)
  • old browser like iCab 2.9.9 or Internet Explorer 5/6


I don't think there is anyone with those devices who wants to look stuff up here.

ID: 75280 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15560
Netherlands
Message 75286 - Posted: 13 Jan 2017, 14:40:49 UTC - in response to Message 75280.  
Last modified: 13 Jan 2017, 14:46:45 UTC

According to SSLLabs RC4 is used by XP/IE8, which is the last IE that XP can be upgraded to. We could ask David to check the database to see how many people use that combination to come here, if the database registers that.

(Edit: I emailed him)
ID: 75286 · Report as offensive
Jazzop

Send message
Joined: 19 Dec 06
Posts: 90
United States
Message 75295 - Posted: 13 Jan 2017, 17:44:27 UTC - in response to Message 75286.  

If Firefox and/or other browsers run on XP and support modern encryption, why should anyone make special concessions to those who want to use IE8?
ID: 75295 · Report as offensive
ProfileJord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 15560
Netherlands
Message 75442 - Posted: 22 Jan 2017, 17:58:20 UTC

Sniff.
https://github.com/BOINC/boinc/commit/0bc9b0264081a0b338d7731e45f854917b966e86
BOINC web: don't show mediawiki pages as https; doesn't work
When one goes from the User Manual loaded via HTTPS to some of the sub-pages, CSS refuses to load because links it loads the Monobook skin from are HTTP only. So then Firefox shows a mixed content warning in Developer->Inspector and pages do load but without any CSS.

Of course, for David it's easier to not make the User Manual (and other pages) work with HTTPS than to try to make Apache work with it all around the domain.

So, soon in a Firefox around the corner:
https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/
To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS.
ID: 75442 · Report as offensive

Message boards : Web interfaces : Any plans to upgrade BOINC website SSL algorithm away from SHA-1?

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.