Message boards : Web interfaces : Any plans to upgrade BOINC website SSL algorithm away from SHA-1?
Message board moderation
Author | Message |
---|---|
Send message Joined: 19 Dec 06 Posts: 90 |
SHA-1 is marked for death by many industry giants like G**gle and Mozilla, which will impact many casual users who just trust whatever their browsers tell them is safe/unsafe. In my case, organizational networking/security policy is soon going to block SHA-1 except for an administrator-maintained whitelist, which means no user-added exceptions. A search for "SHA-1" in these forums only brought up one post in a SETI thread, so I wonder if this is even on the radar for the folks who maintain this website. Perhaps the *.berkeley.edu TLD has some bureacratic baggage that the BOINC department can't control? |
Send message Joined: 4 Jul 12 Posts: 321 |
There is a recent post from David Anderson that he is aware of the issue but as you said there is some level of bureaucracy involved which I guess means nagging people until you get the thing you want. |
Send message Joined: 29 Aug 10 Posts: 8 |
Thanks for updating the certificate to use SHA256 as the hashing function! But any info about updating the SSL/TLS settings? Right now it supports some obsolete and insecure cipher suites, see my previous article: https://boinc.berkeley.edu/dev/forum_thread.php?id=11261 |
Send message Joined: 29 Aug 05 Posts: 15563 |
It took quite some convincing to get Berkeley thus far to get those certificates, especially for Seti@Home. There they also want to change the downloads to HTTPS but lack the necessary certificates for that, so a new fight ensues. |
Send message Joined: 4 Jul 12 Posts: 321 |
It seems the only problem with boinc.berkeley.edu configuration is support of the RC4 cipher. If that gets disabled the ssllabs grade should be an A. Which is fine in my opinion. |
Send message Joined: 29 Aug 05 Posts: 15563 |
Isn't that to make sure older Android/Windows versions can still get onto these forums? |
Send message Joined: 4 Jul 12 Posts: 321 |
According to a CloudFlare Blog article (2 years old) "older Android/Windows" means in this case:
|
Send message Joined: 29 Aug 05 Posts: 15563 |
According to SSLLabs RC4 is used by XP/IE8, which is the last IE that XP can be upgraded to. We could ask David to check the database to see how many people use that combination to come here, if the database registers that. (Edit: I emailed him) |
Send message Joined: 19 Dec 06 Posts: 90 |
If Firefox and/or other browsers run on XP and support modern encryption, why should anyone make special concessions to those who want to use IE8? |
Send message Joined: 29 Aug 05 Posts: 15563 |
Sniff. https://github.com/BOINC/boinc/commit/0bc9b0264081a0b338d7731e45f854917b966e86 BOINC web: don't show mediawiki pages as https; doesn't work When one goes from the User Manual loaded via HTTPS to some of the sub-pages, CSS refuses to load because links it loads the Monobook skin from are HTTP only. So then Firefox shows a mixed content warning in Developer->Inspector and pages do load but without any CSS. Of course, for David it's easier to not make the User Manual (and other pages) work with HTTPS than to try to make Apache work with it all around the domain. So, soon in a Firefox around the corner: https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ To continue to promote the use of HTTPS and properly convey the risks to users, Firefox will eventually display the struck-through lock icon for all pages that don’t use HTTPS, to make clear that they are not secure. As our plans evolve, we will continue to post updates but our hope is that all developers are encouraged by these changes to take the necessary steps to protect users of the Web through HTTPS. |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.