Message boards :
Number crunching :
Uploads and downloads blocked for some BOINC projects using HTTPS
Message board moderation
Previous · 1 · 2
Author | Message |
---|---|
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
From 1 August 2021, they may be removing support for 32bit completely ! So, Google refuses to support older devices?... My Evo 3D has no (AFAIK) analogs in later models at all.... SETI apps news We're not gonna fight them. We're gonna transcend them. |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
the specific complexities of developing for Android and the Play Store. AFAIK it's still possible to install apk (even on non-rooted phones) "manually" (that is, to download it from let say boinc.edu, not from Play Store). Could such distribution simplify the process of package construction (for example, separate x86 and x64 packs even if Play Store asks for single bundle)?... SETI apps news We're not gonna fight them. We're gonna transcend them. |
Richard Haselgrove ![]() Send message Joined: 4 Jul 99 Posts: 14686 Credit: 200,643,578 RAC: 874 ![]() ![]() |
Still have no clear picture. Why some projects affected and some not? That could mean smth could be done on SERVER side, not client side - and this is my main point.Each project - each sponsoring body, whether it be a university, commercial firm, or private individual - will have to have applied for and been granted a server certificate appertaining to the domain name they wish to use. That's a free choice by each project, and they will have gone down different pathways, paid their money to different certification authorities. For a connection to be established, there has to be a recognition and trust bond between the client and the server - a matching pair. BOINC tries to ensure this by supplying a bundle of certificates, on the basis of "at least one of these ought to work" for all of the popular server certifying authorities. One of the certificates in the client bundle expired. There was already a replacement certificate in the bundle, and the client should have kept on trying, past the failed certificate, and found the replacement. But the BOINC client doesn't do certification management itself. It's outsourced that to curl (for communication in general) and OpenSSL (for security). And the Windows version of BOINC is using is using an old version of OpenSSL with a bug in it. That old OpenSSL version barfed on the expired certificate, and gave up, instead of checking further into the bundle. So we have an unholy mess contributed to by a constellation of different server certificates; an expired client certificate; and buggy (imported) software. Fixing (or at least working round) the mess can be done by fixing any one of those things. For us, we can regain connections by individually fixing our client bundles: it took us about four hours on a Saturday afternoon to work that out. For the projects (and hence all their volunteers, not just the savvy ones), they can regain connections by changing their server certificates. Two managed that quite quickly, a third is still struggling. For BOINC, they could (and should) update to a newer OpenSSL library which has the bug patched. This was already in place for the Mac platform, but not for Windows (although an updated library has been available for a while). "Shooting the messenger" means attributing the cause of the three-way mess to "Help desk experts", rather than giving us our proper role as two-way messengers. Is that better? |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
Still have no clear picture. Why some projects affected and some not? That could mean smth could be done on SERVER side, not client side - and this is my main point.Each project - each sponsoring body, whether it be a university, commercial firm, or private individual - will have to have applied for and been granted a server certificate appertaining to the domain name they wish to use. That's a free choice by each project, and they will have gone down different pathways, paid their money to different certification authorities. So, for server-side fix one should look into BOINC-client sertificate file, see in what order certificates listed there, select authority listed before expired one (separate question - why do they expire at all?) pay to that authority to get new server-side key from it and then update their servers. Is this sequence correct? And what will be at time all those certificates expire? Internet ended? And in what part this sertificate-based thing improved secuirity? We definitely know that arbitrary software can be put into project folder for BOINC client to launch it as project app....
As I said I understand meaning, but it still not the case. If you relook that thread for sequence of messages you could see it (where issue discussed, where discussion switched to reaction on particular response). SETI apps news We're not gonna fight them. We're gonna transcend them. |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
Each project - each sponsoring body, whether it be a university, commercial firm, or private individual And could you explain this little more. Let say I want to create own BOINC-based DC project. I downloaded free sources, build them, installed server. Created own project web site on free hoster (or on own hardware). Placed BOINC client binaries (or provide link to them) for expected participants to download and install. And then, after all that free of payments part I should pay for smth not related with all above at all? Or that certificate-thingy is optional one? SETI apps news We're not gonna fight them. We're gonna transcend them. |
Richard Haselgrove ![]() Send message Joined: 4 Jul 99 Posts: 14686 Credit: 200,643,578 RAC: 874 ![]() ![]() |
I'm not an expert on Public key certificates, but that may get you started. |
![]() Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 ![]() |
Hm, well, Jord, when help constituted of "better shut up and switch off" suggestion I will exercise my right to freely express my point of view on such "help".People are people and they will answer however they like to stuff posted on the internet, no matter what forums you're on. You do so as well. I'm not on forums to hold your hand when someone gets snappy about things you post. If you have a complaint, you ought to know by now how these forums work, click on the red-x at the bottom of the post and write a complaint. Then a moderator will come snoop and see if there's reason to give a kick or not. Even if tag granted directly by you :PThe title had nothing to do with that either, or with your complaint above about a BOINC for 32bit Windows being released. |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
I'm not an expert on Public key certificates, but that may get you started. Unfortunately wiki page has no BOINC-specific info so can't answer most of questions listed abobe, but nevermind. SETI apps news We're not gonna fight them. We're gonna transcend them. |
![]() Send message Joined: 25 Nov 01 Posts: 21536 Credit: 7,508,002 RAC: 20 ![]() ![]() |
Thanks for a very good explanation surrounding the expired certificate hiccup! Even I managed to follow that!! Happy crunchin', Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
![]() Send message Joined: 25 Nov 01 Posts: 21536 Credit: 7,508,002 RAC: 20 ![]() ![]() |
I'm not an expert on Public key certificates, but that may get you started. Perhaps there is a small detail missing for understanding the connections?... For the certificates to work for such as a https connection, the server and the client both must 'trust' a 'root' certificate. This is where the commercial "Certificate Authorities" come into play to serve out certificates that they have signed against their own trusted root certificate. All such certificates are time limited... To limit the security risk and to maintain the monetary business! And various client software such as web browsers and Boinc are 'hardwired' to blindly trust whatever list of certificate authorities for whatever bundle of valid certificates are listed/installed. There are two 'jokers' with that description that do not involve paying money to whatever dubious commercial enterprise: Use "Let's Encrypt" (beautifully easy) or conjure up your own 'self-certified' certificates. Hopefully that fills in a few missing bits in the story? Keep searchin'! Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
yep, that describes how to make free from payments project free from payments. But few other peculiarities remain: does certification used for HTTPS conenctions in BOINC? Or for smth else/addtionally? If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity? Perhaps, it could solve"man in the middle" type of system compromise when client asks server for binary (for example) and recives binary from third side that catched packets exchange.... And if browsers use certificates too (and they do) strange that this type of service not OS-wide. I mean why BOINC should maintain its own certification environment and not rely on OS-wide service for that? It looks like to implement own file reading procedure for example instead of calling OS routine... SETI apps news We're not gonna fight them. We're gonna transcend them. |
![]() ![]() Send message Joined: 23 Aug 99 Posts: 962 Credit: 537,293 RAC: 9 ![]() |
As far as I understand it, each BOINC project is Independently Run. So, although all projects use resources from the greater BOINC community, they are free to run their own projects in different ways, using Different revisions of BOINC server software. They also have Different hosting providers. I think they are expected to adhere to certain standards, but I'm not sure exactly how that is, or isn't, enforced. This is probably why some projects, like http://www.enigmaathome.net/ and probably others, are dormant and apparently abandoned. |
![]() ![]() Send message Joined: 16 Jun 01 Posts: 6325 Credit: 106,370,077 RAC: 121 ![]() ![]() |
Maybe this particular project just completed its tasks? I think there is definitely restricted number of messages from 1942 year to provide data.... Or peoples lost interest to those messages eventually (at least those with good PCs :) ). SETI apps news We're not gonna fight them. We're gonna transcend them. |
![]() Send message Joined: 9 Jun 99 Posts: 15184 Credit: 4,362,181 RAC: 3 ![]() |
If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?As far as I know, no project has HTTP anymore for its connections to the client, because login information has to be sent and this has to be done securely, thus via HTTPS. Especially if a project wants to be held to the GDPR. If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways. |
Grant (SSSF) Send message Joined: 19 Aug 99 Posts: 13882 Credit: 208,696,464 RAC: 304 ![]() ![]() |
If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?I have one system doing Rosetta using their new HTTPS address, the other system is still using their old HTTP address. Both systems were affected by this Security Certificate issue. Grant Darwin NT |
![]() Send message Joined: 25 Nov 01 Posts: 21536 Credit: 7,508,002 RAC: 20 ![]() ![]() |
If for HTTPS why HTTP projects were affected? If not only - where and how it improves secuirity?I have one system doing Rosetta using their new HTTPS address, the other system is still using their old HTTP address. I would expect regardless of a project home website using http or https, that all data transfers for the Boinc client (for downloading such as the project apps and data for example) are always done over https. Keep searchin', Martin See new freedom: Mageia Linux Take a look for yourself: Linux Format The Future is what We all make IT (GPLv3) |
©2025 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.