BOINC should push projects to use HTTPS for better security

[romw]

Reported by bryanquigley on 12 Nov 44964364 11:49 UTC
Right now all downloads happen over HTTP and AFAICT the only protection is code signing and the sandbox. HTTPS projects would have another layer protecting against MITM attacks.

Code signing won't protect against tampering with the data and/or results back to the project. Tampering with the data as it goes to the client could lead to an exploit.

In all I'm just asking if BOINC can change to explicitly recommend using HTTPS for the project website and project URL.

Migrated-From: http://boinc.berkeley.edu/trac/ticket/1374

[romw]

Commented by bryanquigley on 6 Jan 44964369 12:32 UTC
I would be happy to help with work to make the BOINC website more secure to lead by example.

[romw]

Commented by Nicolas on 21 Mar 45018814 12:54 UTC
Using HTTPS for the scheduler requests would be enough, as it would protect the MD5 hashes sent by the server. There's no need to use HTTPS for the downloads themselves too.

[romw]

Commented by bryanquigley on 22 Sep 45020797 06:32 UTC
If it was just an md5sum it wouldn't be enough given exploits against it.. I believe if you check the size though it might be (for now).

Opened a new ticket for supporting sha256 (https://boinc.berkeley.edu/trac/ticket/1375)

[grctest]

Pushing BOINC projects to use HTTPS for everything would be great, I've used Letsencrypt via EFF's certbot to quickly provide SSL for my BOINC project.

The Gridcoin community has been attempting to chase up projects regarding implementing SSL (only 4 have not replied): https://cryptocointalk.com/topic/49717-continued-boinc-project-ssl-discussion/

This recent boinc_project mailinglist thread is interesting & talks about implementing SSL (whilst redirecting all HTTP traffic to HTTPS): http://lists.ssl.berkeley.edu/mailman/private/boinc_projects/2016-September/011836.html

I raised the question:
I've been discussing potential security issues with the BOINC web server in the BOINC_Dev mailinglist and found that the majority of BOINC projects in the 'add project' window do not list the URL as HTTPS despite its availability, is this something else we'll need to change or is it purely a cosmetic issue?
https://github.com/BOINC/boinc/blob/master/doc/projects.inc

Preferably, nothing vital like password hashes/account keys should be sent plain-text over the public Internet.

[ChristianBeer]

We should really add some sentences to the documentation that say we encourage the use of HTTPS. The caveat is that due to certificate issues the oldest Windows Client that is able to connect with a project that uses a LetsEncrypt certificate is 7.4.1 all version prior don't have a suitable root certificate in their truststore. BOINC ships a custom cabundle on Windows and does not use the windows truststore.

[grctest]

SSL on the login screen is insufficient, if the BOINC server doesn't have SSL enabled between the client and server/scheduler then the account key is sent plain text over the internet (posing a permanent account compromise risk)

[Ageless93]

Aren't almost all projects over to HTTPS?

[grctest]

@Ageless93 Not all projects have implemented HTTPS yet, no.

What about a warning message within the OPs admin page if their project isn't running SSL?

if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') { SSL Enabled, display nothing } else { Display alert box warning admin of non-ssl risks }

Source for above example SSL detection alert box

[TheAspens]

I think that the industry trends to push everyone to HTTPS (specifically the browser manufacturers) will be enough of a push to do this. That said, it would be good if BOINC's set up instructions would assume that projects will set up HTTPS.

Since BOINC does not have a mechanism for updating the ca_cert bundle on client machines, I think that we need to change the client so that it uses the operating system provided set of trusted signers rather than its own bundle. This will prevent issues such as what @ChristianBeer identified in April.

[ChristianBeer]

The Linux and Mac Clients already use the OS provided certificate stores. Only on Windows you need to use a specific API that according to Rom is going to take some time to implement in the Client. I don't know any specifics about that.

[AenBleidd]

Is still an issue on Windows?

[RichardHaselgrove]

The Windows issue - that BOINC uses a private ca-bundle.crt file that is deployed by the installer and never updated until a later version is installed - remains. (BOINC also uses private VS2010 C runtime libraries, which bypasses any Microsoft security updates, but that's another story.)

The project issue - that not every project has installed an SSL sertificate on their server - also remains. I listed the public projects which haven't recently in #2716: there are also private or individual projects in existence that we know nothing about centrally. They would also be impacted.

Attitudes to internet security range from "use SSL for everything, even accessing the most anodyne public information" to "only worry about privacy when sending or receiving genuinely private data". I think we should re-run that discussion yet again (especially in the context of GDPR) before coming down on one side of the line or the other.

[mielouk]

Please make encryption for all BOINC related traffic mandatory!

[BryanQuigley]

Been commenting on #2466.

Can we make a policy note that only projects that are HTTPS for every URL can be added to the project list?
We could also create a date (Say in 2023) when HTTPS is required for all...

Right now we are at 24 projects using HTTPS (including account managers) and 14 only using HTTP.

I've started tracking the 14 only using HTTP here. I pledge to contribute my resources (for at least this winter) to projects that switch to HTTPS as their master and all other URLs. Some projects are worried about losing old clients, join me in this pledge to help lessen the impact. Also feel free to help fill out the spreadsheet and reach out to other projects!

GridRepublic is the only account manager on the list and that seems like a particularly big risk.

[RichardHaselgrove]

Not until BOINC's certificate bundle is working again, and Open SSL version is updated to a bug-free one ...

[AenBleidd]

'OpenSsl' and 'bug-free' can't be used in the same sentence 😂

[BryanQuigley]

Wow, my timing sucks. :/

[mielouk]

Wow, my timing sucks. :/

Nonetheless, glad someone picks up this important issue!

[BryanQuigley]

I see it in the git branch for 7.16.20, but just wanted to confirm here. Windows users should who upgrade to 7.16.20 can enjoy the nicer http -> https fix. (If moderately old boinc client, they may get the duplicate client bit)

I'm thinking about asking projects again. Getting this nice fix to Linux users won't really be possible.. But how about Mac and Android users? Any other usefulness of making 7.16.20 available for those users?

[BryanQuigley]

@AenBleidd I was hoping to close this when all projects on the project list are only using HTTPS. Was there another reason for the close?

[AenBleidd]

All major projects are already using https. Since there is no any action from our side to make any restrictions and block http usage, there is nothing that should be done in this ticket, so there is no reason to keep it open.

[BryanQuigley]

There are still a good number of projects that are set as http in the projects list:
http://denis.usj.es/denisathome/
http://www.rnaworld.de/rnaworld/
http://www.cosmologyathome.org/
http://milkyway.cs.rpi.edu/milkyway/
http://einstein.phys.uwm.edu/
http://numberfields.asu.edu/NumberFields/
http://moowrap.net/
http://www.primegrid.com/
http://gerasim.boinc.ru/
http://srbase.my-firewall.org/sr5/
http://www.rechenkraft.net/yoyo/
http://radioactiveathome.org/boinc/

Including at least 1 brand new project - Denis. Now many of them switch to using at least some HTTPS, but it's still an unnecessary liability.