Folding@home Security Q&A

[jcoffland]

Introduction

The security impact of folding on your machines is of utmost importance to us. Our new Folding@home account and the access it enables to remotely control, configure and monitor folding will inevitably give rise to new security questions. Here we would like to give you the opportunity to ask those questions.

Disclosing Security Flaws Responsibly

If you believe you've found a security flaw in Folding@home, please disclose it responsibly by first emailing us at security@foldingathome.org.

Brief technical details

The security of the new Folding@home account system has been carefully architected so that only those with the account passphrase can remotely control folding and that remote control is limited to starting, stopping, configuring and monitoring Folding@home home and no more.

With the new account system folding clients connect to a Folding node which makes it possible to access folding remotely even when the machine is behind a firewall. When you login to your folding account, your browser also makes a connection to the node. Communication between your browser and the clients is doubly encrypted so that even if the node is compromised your account will remain secure. It is unlikely that a Folding node will be compromised but if it were the worst an attacker could do would be to block remote access by not allowing you to connect.

Your account data is of course stored on our servers at Folding@home. So what about the unlikely situation where Folding@home's servers get hacked. In this case, your accounts are still secure because even Folding@home is unable to access your account. You account information is stored encrypted on our servers and your passphrase never leaves your browser.

Open-Source

The source code for the new account system is publicly accessible. There are three main parts:

1. fah-client-bastet
2. fah-web-client-bastet
3. fah-node

Further Questions

There are many more details to Folding@home's security. Please feel free to post your questions below.

[kbernhagen]

What are the security implications of using a third-party Web Control web site, with and without login?

[jcoffland]

Q) What are the security implications of using a third-party Web Control web site, with and without login?

A) 3rd party Web Control of your local client is relatively safe but we don't currently support 3rd party clients logging into F@H unless they run locally on your machine, e.g. on localhost, *.local or 127.0.0.1.

If you enter any login information to any 3rd party site you're giving them the keys. We currently block 3rd party logins to F@H through CORS rules. This prevents logins to F@H from 3rd party sites from working but it won't prevent unsuspecting users from giving away their passwords.

We would ultimately like to allow 3rd parties to create Web Control apps of their own or integrate F@H into other web apps. A possible work around is to do something like OAuth does (e.g. Google logins to 3rd party sites). The F@H login would redirect to another page then return to the 3rd party site once the login is completed. In this case, you would only enter your login credentials on a *.foldingathome.org page. This solution has further complications and still needs more research.

Even with the above solution you are giving the 3rd party at least temporary access to control your F@H account. You need to have some level of trust to allow this. Most likely you don't want to give them permanent access to your account.

One option is to run 3rd party Web Control apps locally. You still have to trust the 3rd party but at least in this case someone can look at the code and have some assurance that it doesn't suddenly change from trustworthy to malicious.

In short, just like you wouldn't enter your bank credentials on a 3rd party website, don't give your F@H credentials to a 3rd party.