Message boards : Questions and problems : Weak certificate and obsolete SSL/HTTPS settings on boinc.berkeley.edu
Message board moderation
Author | Message |
---|---|
Send message Joined: 29 Aug 10 Posts: 8 ![]() |
Hi, I've just noticed that the boinc.berkeley.edu site uses domain certificate with weak SHA1 signature and it's expiring after 2016. This effectively leads to "red untrusted strigethrough symbol" in the Chrome browser and some other browsers as well. This should be really looked into, because this takes away any trust by possible new BOINC volunteers. Also the HTTPS/TLS settings is not optimal. The server supports some very weak cipher suites like TLS_RSA_WITH_DES_CBC_SHA and also weak RC4 suites and lot of unnecessary and slow suites as well like SEED and CAMELLIA. I'd highly recommend, if possible, updating the Apache and OpenSSL libs to current version for best possible security and performance, which will eventually lead to more volunteers willing to help with BOINC scientific project. For more details see: https://www.ssllabs.com/ssltest/analyze.html?d=boinc.berkeley.edu https://wiki.mozilla.org/Security/Server_Side_TLS Thanks |
![]() Send message Joined: 29 Aug 05 Posts: 15634 ![]() |
I'd highly recommend, if possible, updating the Apache and OpenSSL libs to current version for best possible security and performance, which will eventually lead to more volunteers willing to help with BOINC scientific project. Thank you for that. At the moment the security is grade B, both for Seti@Home and the BOINC domain. Which is better than the grade C we've had for a while after the crash of the BOINC domain server. The weak certificates are an artifact of using an on-campus (Berkeley) certificate generating service which is free but obviously not perfect. It is already being looked at by the site- and network administrator, but we have to keep in mind that there is little to no money to do these certificate upgrades with. So, while a cheap certificate could cost only 49 dollars for a year, it's something that has to be paid out of the pocket of the administrator himself, not by the campus. And then times two, three, four or however many servers there are that need these in the network. |
Send message Joined: 29 Aug 10 Posts: 8 ![]() |
Domain certificates can be as cheap as zero $ / year http://www.startssl.com/ Or soon also on Let's Encrypt: https://letsencrypt.org/ Or just few $ per year https://www.ssls.com/ssl-certificates/comodo-positivessl But it depends, if you want switch to different CA or keep using the current one. There might be some apps or webs using certificate/public key pinning and these might stop working after such change. At the end we can probably all agree, that this red HTTPS that every user see right now, is not good for the project: ![]() Also regarding the B rating, it can be easily changed to A just by updating the list of supported cipher suites. The recommended list of cipher suites can be found on the Mozilla web in the link above. |
![]() Send message Joined: 29 Aug 05 Posts: 15634 ![]() |
I was wrong on stating that the certificate has to be paid by the project administrator himself. It's the UCB that pays for it. BOINC doesn't use its own web site and domain with an easy to renew certificate that can come from just about anywhere. Both BOINC and Seti use UCB servers, web-addresses, internet and resources, including their security systems and certificates. The InCommon Server CA certificate is one that is paid for and issued by the University of California at Berkeley. When it's going to be renewed, it will be renewed for the entire campus, at a rate of 15,000 dollars per year. While it's nice that browsers such as Chrome, Firefox, Pale Moon etc. show whether or not the connection is secure or not, panic strike-throughs such as Chrome uses are unnecessary. If they find the site thoroughly insecure, they'd better not allow a connection to it anymore. That was something Pale Moon did to the account page for The Elder Scrolls Online, while browsers as Firefox and Chrome allowed the connection to it -it had at the time only an RC4 encryption- Pale Moon actively blocked access to the site. Pale Moon blocks a lot of insecure sites that Chrome and Firefox allow, making you wonder how they really feel about the security of such sites. When looking at https://boinc.berkeley.edu/: Pale Moon (25.7.1) shows that the connection here is mixed mode/partially encrypted. Firefox (41.0.1) shows that I'm on a secure connection, verified by Internet2. Dolphin (11.4.21) shows I'm on a secure connection and that the certificate is valid and expires on 14/04/2017. |
Send message Joined: 29 Aug 10 Posts: 8 ![]() |
If I understand it correctly, UCB is using certificates from InCommon with some kind of yearly subscription fee. In that case is should be easy to reissue new certificate for boinc.berkeley.edu for free with SHA256 hash algorithm instead of current "insecure" SHA1, that causes the red strike-through in Chrome, because it expires after 2016. Some details about the SHA1 certificates deprecation is here: https://wiki.cac.washington.edu/display/infra/Transition+to+InCommon+SSL+Certificates+Signed+with+SHA-2 |
![]() ![]() Send message Joined: 23 Feb 08 Posts: 2516 ![]() |
In that case is should be easy to reissue new certificateexcept for the politics of the Chancellor's Office. |
![]() Send message Joined: 29 Aug 05 Posts: 15634 ![]() |
that causes the red strike-through in Chrome, because it expires after 2016. Justeminus, it only causes a panic in Chrome. Not in any of the other browser families out there. Doesn't that make you wonder why Chrome is panicking over nothing? The connection is encrypted, the certificate is still valid until April 2017. We live in October 2015, why cause a panic now? No one has yet managed to crack SHA-1. From StackExchange: No actual break involving SHA-1 and using a structural weakness of SHA-1 has been currently fully demonstrated in academic conditions, let alone in the wild. Added to that, we're not a bank. We don't sell insurance. There isn't really a need for encrypted connections to the BOINC web site, and therefore all links coming from the BOINC Manager GUI -and even when you click on that big BOINC logo to the upper right here- are to the HTTP address http://boinc.berkeley.edu/. That's the address most people will use. Only a handful of us who have set our bookmarks to HTTPS are using this connection. And of those, most will use Firefox which -as I said yesterday- shows that the connection is safe. |
Send message Joined: 29 Aug 10 Posts: 8 ![]() |
Justeminus, it only causes a panic in Chrome. Not in any of the other browser families out there. Doesn't that make you wonder why Chrome is panicking over nothing? Not just in Chrome. In Opera it shows no green lock that users associate with security. In IE11 and Edge the same, no lock indicator of secure site. Google and Chrome is here again the most proactive, marking SHA1 as insecure starting in Chrome 46 as far as I know. And if you check this, Chrome even plans sometime in year or two marking all HTTP traffic as insecure. HTTPS is not just convenience, it's about trust, especially on sites where users use name and passwords for login. Crazy number of users use the same password on most of their sites and capturing login credentials on one site can compromise lot of other online accounts. And another benefit of having HTTPS is the future support for HTTP/2 protocol, that works only via HTTPS. Apache already supports HTTP/2, nginx should have full support at the end of this year. But this discussion goes beyond my initial point. In my opinion sites (not just) with login should use properly deployed HTTPS-only, ideally with HSTS, with domain certificates that user can trust on first sight. |
Copyright © 2025 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.