Uploads and downloads blocked for some BOINC projects using HTTPS

Message boards : Number crunching : Uploads and downloads blocked for some BOINC projects using HTTPS
Message board moderation

To post messages, you must log in.

Previous · 1 · 2

AuthorMessage
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051554 - Posted: 11 Jun 2020, 11:43:56 UTC - in response to Message 2051489.  

From 1 August 2021, they may be removing support for 32bit completely !

So, Google refuses to support older devices?... My Evo 3D has no (AFAIK) analogs in later models at all....
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051554 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051555 - Posted: 11 Jun 2020, 11:48:20 UTC - in response to Message 2051491.  
Last modified: 11 Jun 2020, 11:48:45 UTC

the specific complexities of developing for Android and the Play Store.

AFAIK it's still possible to install apk (even on non-rooted phones) "manually" (that is, to download it from let say boinc.edu, not from Play Store). Could such distribution simplify the process of package construction (for example, separate x86 and x64 packs even if Play Store asks for single bundle)?...
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051555 · Report as offensive     Reply Quote
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 2051568 - Posted: 11 Jun 2020, 12:50:05 UTC - in response to Message 2051553.  

Still have no clear picture. Why some projects affected and some not? That could mean smth could be done on SERVER side, not client side - and this is my main point.

Does CLIENT side change absolutely required? (and if so, to exclude such outcomes in the future some mechanism should be applied to notify users that action required (Jord said that BOINC notifications not for this, but I see no reason why not to use them in need or why not to provide smth similar in case religion didn't allow such usage ;) ).
Each project - each sponsoring body, whether it be a university, commercial firm, or private individual - will have to have applied for and been granted a server certificate appertaining to the domain name they wish to use. That's a free choice by each project, and they will have gone down different pathways, paid their money to different certification authorities.

For a connection to be established, there has to be a recognition and trust bond between the client and the server - a matching pair. BOINC tries to ensure this by supplying a bundle of certificates, on the basis of "at least one of these ought to work" for all of the popular server certifying authorities.

One of the certificates in the client bundle expired. There was already a replacement certificate in the bundle, and the client should have kept on trying, past the failed certificate, and found the replacement.

But the BOINC client doesn't do certification management itself. It's outsourced that to curl (for communication in general) and OpenSSL (for security). And the Windows version of BOINC is using is using an old version of OpenSSL with a bug in it. That old OpenSSL version barfed on the expired certificate, and gave up, instead of checking further into the bundle.

So we have an unholy mess contributed to by a constellation of different server certificates; an expired client certificate; and buggy (imported) software.

Fixing (or at least working round) the mess can be done by fixing any one of those things.

For us, we can regain connections by individually fixing our client bundles: it took us about four hours on a Saturday afternoon to work that out.
For the projects (and hence all their volunteers, not just the savvy ones), they can regain connections by changing their server certificates. Two managed that quite quickly, a third is still struggling.
For BOINC, they could (and should) update to a newer OpenSSL library which has the bug patched. This was already in place for the Mac platform, but not for Windows (although an updated library has been available for a while).

"Shooting the messenger" means attributing the cause of the three-way mess to "Help desk experts", rather than giving us our proper role as two-way messengers. Is that better?
ID: 2051568 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051597 - Posted: 11 Jun 2020, 18:49:23 UTC - in response to Message 2051568.  

Still have no clear picture. Why some projects affected and some not? That could mean smth could be done on SERVER side, not client side - and this is my main point.

Does CLIENT side change absolutely required? (and if so, to exclude such outcomes in the future some mechanism should be applied to notify users that action required (Jord said that BOINC notifications not for this, but I see no reason why not to use them in need or why not to provide smth similar in case religion didn't allow such usage ;) ).
Each project - each sponsoring body, whether it be a university, commercial firm, or private individual - will have to have applied for and been granted a server certificate appertaining to the domain name they wish to use. That's a free choice by each project, and they will have gone down different pathways, paid their money to different certification authorities.

For a connection to be established, there has to be a recognition and trust bond between the client and the server - a matching pair. BOINC tries to ensure this by supplying a bundle of certificates, on the basis of "at least one of these ought to work" for all of the popular server certifying authorities.

One of the certificates in the client bundle expired. There was already a replacement certificate in the bundle, and the client should have kept on trying, past the failed certificate, and found the replacement.

But the BOINC client doesn't do certification management itself. It's outsourced that to curl (for communication in general) and OpenSSL (for security). And the Windows version of BOINC is using is using an old version of OpenSSL with a bug in it. That old OpenSSL version barfed on the expired certificate, and gave up, instead of checking further into the bundle.

So we have an unholy mess contributed to by a constellation of different server certificates; an expired client certificate; and buggy (imported) software.

Fixing (or at least working round) the mess can be done by fixing any one of those things.

For us, we can regain connections by individually fixing our client bundles: it took us about four hours on a Saturday afternoon to work that out.
For the projects (and hence all their volunteers, not just the savvy ones), they can regain connections by changing their server certificates. Two managed that quite quickly, a third is still struggling.
For BOINC, they could (and should) update to a newer OpenSSL library which has the bug patched. This was already in place for the Mac platform, but not for Windows (although an updated library has been available for a while).

So, for server-side fix one should look into BOINC-client sertificate file, see in what order certificates listed there, select authority listed before expired one (separate question - why do they expire at all?) pay to that authority to get new server-side key from it and then update their servers. Is this sequence correct?
And what will be at time all those certificates expire? Internet ended?
And in what part this sertificate-based thing improved secuirity? We definitely know that arbitrary software can be put into project folder for BOINC client to launch it as project app....


"Shooting the messenger" means attributing the cause of the three-way mess to "Help desk experts", rather than giving us our proper role as two-way messengers. Is that better?

As I said I understand meaning, but it still not the case. If you relook that thread for sequence of messages you could see it (where issue discussed, where discussion switched to reaction on particular response).
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051597 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051601 - Posted: 11 Jun 2020, 19:01:47 UTC - in response to Message 2051568.  
Last modified: 11 Jun 2020, 19:04:03 UTC

Each project - each sponsoring body, whether it be a university, commercial firm, or private individual

And could you explain this little more.
Let say I want to create own BOINC-based DC project.
I downloaded free sources, build them, installed server.
Created own project web site on free hoster (or on own hardware). Placed BOINC client binaries (or provide link to them) for expected participants to download and install.

And then, after all that free of payments part I should pay for smth not related with all above at all?

Or that certificate-thingy is optional one?
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051601 · Report as offensive     Reply Quote
Richard Haselgrove Project Donor
Volunteer tester

Send message
Joined: 4 Jul 99
Posts: 14649
Credit: 200,643,578
RAC: 874
United Kingdom
Message 2051604 - Posted: 11 Jun 2020, 19:23:47 UTC - in response to Message 2051601.  

I'm not an expert on Public key certificates, but that may get you started.
ID: 2051604 · Report as offensive     Reply Quote
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 2051631 - Posted: 11 Jun 2020, 22:49:46 UTC - in response to Message 2051551.  

Hm, well, Jord, when help constituted of "better shut up and switch off" suggestion I will exercise my right to freely express my point of view on such "help".
People are people and they will answer however they like to stuff posted on the internet, no matter what forums you're on. You do so as well. I'm not on forums to hold your hand when someone gets snappy about things you post. If you have a complaint, you ought to know by now how these forums work, click on the red-x at the bottom of the post and write a complaint. Then a moderator will come snoop and see if there's reason to give a kick or not.
Even if tag granted directly by you :P
The title had nothing to do with that either, or with your complaint above about a BOINC for 32bit Windows being released.
ID: 2051631 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051632 - Posted: 11 Jun 2020, 23:00:13 UTC - in response to Message 2051604.  

I'm not an expert on Public key certificates, but that may get you started.

Unfortunately wiki page has no BOINC-specific info so can't answer most of questions listed abobe, but nevermind.
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051632 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20140
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2051645 - Posted: 12 Jun 2020, 8:54:27 UTC - in response to Message 2051568.  

Thanks for a very good explanation surrounding the expired certificate hiccup!

Even I managed to follow that!!


Happy crunchin',
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2051645 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20140
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2051646 - Posted: 12 Jun 2020, 9:05:04 UTC - in response to Message 2051632.  
Last modified: 12 Jun 2020, 9:09:48 UTC

I'm not an expert on Public key certificates, but that may get you started.

Unfortunately wiki page has no BOINC-specific info so can't answer most of questions listed abobe, but nevermind.

Perhaps there is a small detail missing for understanding the connections?...


For the certificates to work for such as a https connection, the server and the client both must 'trust' a 'root' certificate. This is where the commercial "Certificate Authorities" come into play to serve out certificates that they have signed against their own trusted root certificate.

All such certificates are time limited... To limit the security risk and to maintain the monetary business!

And various client software such as web browsers and Boinc are 'hardwired' to blindly trust whatever list of certificate authorities for whatever bundle of valid certificates are listed/installed.

There are two 'jokers' with that description that do not involve paying money to whatever dubious commercial enterprise: Use "Let's Encrypt" (beautifully easy) or conjure up your own 'self-certified' certificates.


Hopefully that fills in a few missing bits in the story?

Keep searchin'!
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2051646 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051652 - Posted: 12 Jun 2020, 10:26:23 UTC - in response to Message 2051646.  


There are two 'jokers' with that description that do not involve paying money to whatever dubious commercial enterprise: Use "Let's Encrypt" (beautifully easy) or conjure up your own 'self-certified' certificates.


Hopefully that fills in a few missing bits in the story?

Keep searchin'!
Martin

yep, that describes how to make free from payments project free from payments.
But few other peculiarities remain: does certification used for HTTPS conenctions in BOINC? Or for smth else/addtionally?
If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?

Perhaps, it could solve"man in the middle" type of system compromise when client asks server for binary (for example) and recives binary from third side that catched packets exchange....

And if browsers use certificates too (and they do) strange that this type of service not OS-wide. I mean why BOINC should maintain its own certification environment and not rely on OS-wide service for that? It looks like to implement own file reading procedure for example instead of calling OS routine...
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051652 · Report as offensive     Reply Quote
Profile Keith T.
Volunteer tester
Avatar

Send message
Joined: 23 Aug 99
Posts: 962
Credit: 537,293
RAC: 9
United Kingdom
Message 2051668 - Posted: 12 Jun 2020, 14:25:42 UTC

As far as I understand it, each BOINC project is Independently Run.

So, although all projects use resources from the greater BOINC community, they are free to run their own projects in different ways, using Different revisions of BOINC server software.
They also have Different hosting providers.
I think they are expected to adhere to certain standards, but I'm not sure exactly how that is, or isn't, enforced.

This is probably why some projects, like http://www.enigmaathome.net/ and probably others, are dormant and apparently abandoned.
ID: 2051668 · Report as offensive     Reply Quote
Profile Raistmer
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 16 Jun 01
Posts: 6325
Credit: 106,370,077
RAC: 121
Russia
Message 2051669 - Posted: 12 Jun 2020, 15:59:47 UTC - in response to Message 2051668.  


This is probably why some projects, like http://www.enigmaathome.net/ and probably others, are dormant and apparently abandoned.

Maybe this particular project just completed its tasks? I think there is definitely restricted number of messages from 1942 year to provide data....
Or peoples lost interest to those messages eventually (at least those with good PCs :) ).
SETI apps news
We're not gonna fight them. We're gonna transcend them.
ID: 2051669 · Report as offensive     Reply Quote
Profile Jord
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 15184
Credit: 4,362,181
RAC: 3
Netherlands
Message 2051689 - Posted: 12 Jun 2020, 21:51:32 UTC - in response to Message 2051652.  

If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?
As far as I know, no project has HTTP anymore for its connections to the client, because login information has to be sent and this has to be done securely, thus via HTTPS. Especially if a project wants to be held to the GDPR.

If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways.

The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. Article 5 of the GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach.
ID: 2051689 · Report as offensive     Reply Quote
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 2051690 - Posted: 12 Jun 2020, 22:00:06 UTC - in response to Message 2051652.  

If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?
I have one system doing Rosetta using their new HTTPS address, the other system is still using their old HTTP address.
Both systems were affected by this Security Certificate issue.
Grant
Darwin NT
ID: 2051690 · Report as offensive     Reply Quote
Profile ML1
Volunteer moderator
Volunteer tester

Send message
Joined: 25 Nov 01
Posts: 20140
Credit: 7,508,002
RAC: 20
United Kingdom
Message 2051694 - Posted: 12 Jun 2020, 22:29:50 UTC - in response to Message 2051690.  
Last modified: 12 Jun 2020, 22:31:11 UTC

If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?
I have one system doing Rosetta using their new HTTPS address, the other system is still using their old HTTP address.
Both systems were affected by this Security Certificate issue.

I would expect regardless of a project home website using http or https, that all data transfers for the Boinc client (for downloading such as the project apps and data for example) are always done over https.


Keep searchin',
Martin
See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)
ID: 2051694 · Report as offensive     Reply Quote
Previous · 1 · 2

Message boards : Number crunching : Uploads and downloads blocked for some BOINC projects using HTTPS


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.