mersenneforum.org  

Go Back   mersenneforum.org > Great Internet Mersenne Prime Search > PrimeNet

Reply
 
Thread Tools
Old 2017-02-01, 14:20   #23
swl551
 
swl551's Avatar
 
Aug 2012
New Hampshire

23×101 Posts
Default Why?

Okay so there is a project underway to move the site to SSL or improve security. Fetching work and submitting work for misfit does not require you to authenticate only to pass in your user ID. This would of course mean that people's work can be compromised by some jerk face. So unless there's Authentication for fetching work by user ID and password and authentication for submitting completed work I don't see the point.
swl551 is offline   Reply With Quote
Old 2017-02-01, 20:17   #24
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

2·3·5·11·29 Posts
Default

Quote:
Originally Posted by swl551 View Post
So unless there's Authentication for fetching work by user ID and password and authentication for submitting completed work I don't see the point.
The "wild wobbly web" is moving to SSL.

There is probably no real value in moving Prime95/mprime/MISFIT clients to SSL since the password is not revealed during exchanges, and there are going to be many clients which were "fired and forgotten" years ago. So simple cleartext exchanges will have to continue to be supported (or, some "firepower" will be lost).

On the other hand, there's no real downside in implementing SSL for new deployments.

At the end of the day, this is mostly about the "human users" accessing the site, where both the Username and Password are passed in (effectively) cleartext (there's sometimes a little bit of obfuscation done on the password, but it's easily reversible).

P.S. A learning experience for me... While GPU72 has supported SSL for many years, I tried implementing "Digest" rather than "Basic" authentication quite some time ago. Many people complained because their browsers "remembered the password" (they didn't), but the browsers didn't bother trying the same password across the two different Auth methods.
chalsall is online now   Reply With Quote
Old 2017-02-01, 20:33   #25
swl551
 
swl551's Avatar
 
Aug 2012
New Hampshire

23×101 Posts
Default

Well, my task was to move MISFIT to HTTPS for the mersenne.org site and it appears to be working.

Scott
swl551 is offline   Reply With Quote
Old 2017-02-01, 22:35   #26
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

100101011000102 Posts
Default

Quote:
Originally Posted by swl551 View Post
Well, my task was to move MISFIT to HTTPS for the mersenne.org site and it appears to be working.
We sincerely thank you for that.

Providing a free tool or service is quite possibly the hardest thing any developer can do. And you have done it well.
chalsall is online now   Reply With Quote
Old 2017-02-01, 22:55   #27
kladner
 
kladner's Avatar
 
"Kieren"
Jul 2011
In My Own Galaxy!

2×3×1,693 Posts
Default

Quote:
Originally Posted by chalsall View Post
We sincerely thank you for that.

Providing a free tool or service is quite possibly the hardest thing any developer can do. And you have done it well.
+1!
kladner is offline   Reply With Quote
Old 2017-02-01, 23:40   #28
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

225428 Posts
Default

Quote:
Originally Posted by kladner View Post
+1!
I believe the follow-up is "this should be jolly good fun".
chalsall is online now   Reply With Quote
Old 2017-02-02, 03:01   #29
swl551
 
swl551's Avatar
 
Aug 2012
New Hampshire

11001010002 Posts
Default

Thanks for the recognition. I like that we did all the work when I had the time and we have a stable utility that doesn't require constant patching and such.


Has anyone else done any testing of MISFIT 2.11.0?

Last fiddled with by swl551 on 2017-02-02 at 03:02
swl551 is offline   Reply With Quote
Old 2017-02-02, 07:26   #30
Madpoo
Serpentine Vermin Jar
 
Madpoo's Avatar
 
Jul 2014

37·89 Posts
Default

Quote:
Originally Posted by chalsall View Post
The "wild wobbly web" is moving to SSL.
...
At the end of the day, this is mostly about the "human users" accessing the site, where both the Username and Password are passed in (effectively) cleartext (there's sometimes a little bit of obfuscation done on the password, but it's easily reversible).
The SSL'ification of the site was discussed between George and myself a couple years back, I think when the new server got dropped into place.

What spurred me into action recently was the fact that my corporate IT folks had setup some rules to find "leaking" security info going out the firewall and they flagged when I logged into the server from my work machine.

Heck, it wouldn't have even been so bad if the form data being posted wasn't "username" and "password" which made it even more obvious what it was doing. You can see it for yourself, it's not hidden... it's part of the code on each page if you're not logged in, there's a <form method="post"> right there.

Anyway, they emailed to confirm I had meant to do that (and not some rogue bot on our network), to which I sheepishly replied "yup". Then they further asked me "and your username was XX and your password was YY" to which I even more sheepishly replied "yup".

So, it's bad enough to know a MITM scan can grab that, but then to see it happen (at least it was my own company, not some random person on a public wifi, which I would never actually use, I'm not insane) makes it hit home.

So... for the price of $10 for a 3 year certificate, it's actually a very cheap way to make sure all is well. The prices of certs have definitely come WAY down. That's probably what kept us from doing it a couple years back.

My first thought was "just POST the form to https" but then you don't see the site is secure when you're entering your password... unless you're really technical you wouldn't know it was secure when you hit "log in". And there's really no good reason NOT to secure the whole site... not anymore.

I hope that explains the rationale more. It really wasn't an arbitrary decision.
Madpoo is offline   Reply With Quote
Old 2017-02-02, 17:38   #31
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

2·3·5·11·29 Posts
Default

Quote:
Originally Posted by Madpoo View Post
So, it's bad enough to know a MITM scan can grab that, but then to see it happen (at least it was my own company, not some random person on a public wifi, which I would never actually use, I'm not insane) makes it hit home.
Yeah. Unfortunately people don't really know just how insecure things can be. This is just one reason why passwords should never be reused.

Two points:

1. I try to use paraphrases rather than passwords. Greater entropy, and easier to remember.

1.1. Interestingly, many sites limit password lengths to 16 characters.

2. I once did a small project for the United Nations. I had to spend about an hour filling out a multi-page SSL enabled web form where they wanted to know absolutely everything about me -- including my height, weight, blood-type, eye-color and penis length (I'm only half joking).

2.1. The punchline was they almost didn't retain me because I didn't have a degree, but sent back to me my submitted Username and Password in cleartext in a confirmation email "in case I forgot" what I had submitted.

True story.
chalsall is online now   Reply With Quote
Old 2017-02-02, 19:55   #32
Mark Rose
 
Mark Rose's Avatar
 
"/X\(‘-‘)/X\"
Jan 2013

3·977 Posts
Default

As soon as I see a length limit on a password I know it's being stored insecurely.
Mark Rose is offline   Reply With Quote
Old 2017-02-02, 20:14   #33
chalsall
If I May
 
chalsall's Avatar
 
"Chris Halsall"
Sep 2002
Barbados

100101011000102 Posts
Default

Quote:
Originally Posted by Mark Rose View Post
As soon as I see a length limit on a password I know it's being stored insecurely.
Yup.
chalsall is online now   Reply With Quote
Reply

Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Big milestone coming up schickel Aliquot Sequences 8 2011-07-29 10:54
Mersenne BOINC coming? frmky Software 27 2011-02-20 08:52
Dark times may be coming...? OmbooHankvald mersennewiki 10 2005-10-24 06:26
And the hits just keep on coming..... R.D. Silverman Factoring 13 2005-10-04 10:02
Coming to a DC project near you P4 2.4B/GA8SQ800 /pc3200 dragongoddess Hardware 0 2003-03-22 15:49

All times are UTC. The time now is 23:03.

Thu May 6 23:03:58 UTC 2021 up 28 days, 17:44, 0 users, load averages: 2.63, 2.53, 2.35

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.

This forum has received and complied with 0 (zero) government requests for information.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.
A copy of the license is included in the FAQ.