Opened 9 years ago
Last modified 9 years ago
#1374 new Defect
BOINC should push projects to use HTTPS for better security
| Reported by: | bryanquigley | Owned by: | davea |
|---|---|---|---|
| Priority: | Undetermined | Milestone: | Undetermined |
| Component: | Web - Other | Version: | 7.4.36 |
| Keywords: | ssl, https, security | Cc: |
Description
Right now all downloads happen over HTTP and AFAICT the only protection is code signing and the sandbox. HTTPS projects would have another layer protecting against MITM attacks.
Code signing won't protect against tampering with the data and/or results back to the project. Tampering with the data as it goes to the client could lead to an exploit.
In all I'm just asking if BOINC can change to explicitly recommend using HTTPS for the project website and project URL.
Change History (4)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
| Component: | Undetermined → Web - Other |
|---|---|
| Owner: | set to davea |
comment:3 Changed 9 years ago by
Using HTTPS for the scheduler requests would be enough, as it would protect the MD5 hashes sent by the server. There's no need to use HTTPS for the downloads themselves too.
comment:4 Changed 9 years ago by
If it was just an md5sum it wouldn't be enough given exploits against it.. I believe if you check the size though it might be (for now).
Opened a new ticket for supporting sha256 (https://boinc.berkeley.edu/trac/ticket/1375)
I would be happy to help with work to make the BOINC website more secure to lead by example.