how about enabling TLS on your Assignment Servers?

If you're new to FAH and need help getting started or you have very basic questions, start here.

Moderators: Site Moderators, FAHC Science Team

bren
Posts: 4
Joined: Mon Mar 16, 2020 4:42 pm

how about enabling TLS on your Assignment Servers?

Post by bren »

from the logs, I read the client is connecting to remote servers on port 80 and 8080.
I guess it would be nice to have protocol HTTPS enabled rather than HTTP.
Could you please set it up?
Thanks
Jesse_V
Site Moderator
Posts: 2850
Joined: Mon Jul 18, 2011 4:44 am
Hardware configuration: OS: Windows 10, Kubuntu 19.04
CPU: i7-6700k
GPU: GTX 970, GTX 1080 TI
RAM: 24 GB DDR4
Location: Western Washington

Re: how about enabling TLS on your Assignment Servers?

Post by Jesse_V »

It's a good idea, but I don't see a necessity for it. There's not many secrets in the F@h data and I don't see much impact from talking to a impersonating server or a man-in-the-middle system.

F@h is also an international project and I believe that there are issues exporting cryptography to certain countries depending on export laws from the 1990s. Other countries may have issues with encrypted connections to a research lab without the ability to inspect the traffic. There's a lot of little tangles there.
F@h is now the top computing platform on the planet and nothing unites people like a dedicated fight against a common enemy. This virus affects all of us. Lets end it together.
JimboPalmer
Posts: 2522
Joined: Mon Feb 16, 2009 4:12 am
Location: Greenwood MS USA

Re: how about enabling TLS on your Assignment Servers?

Post by JimboPalmer »

The assignment servers are overloaded as is, deciding to implement Crypto on them can't possibly speed them up.
Tsar of all the Rushers
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
lazyacevw
Posts: 35
Joined: Tue Mar 17, 2020 8:12 pm

Re: how about enabling TLS on your Assignment Servers?

Post by lazyacevw »

It should still be added to the todo list. TLS is worldwide and widely adopted. At this point, it is unclear if the AS are overloaded due to bandwidth restrictions or actual resource limitations. If someone wanted to be malicious and operate a killer bitcoin mining botnet or get hecka points, they could MITM and send their own work.
Jesse_V
Site Moderator
Posts: 2850
Joined: Mon Jul 18, 2011 4:44 am
Hardware configuration: OS: Windows 10, Kubuntu 19.04
CPU: i7-6700k
GPU: GTX 970, GTX 1080 TI
RAM: 24 GB DDR4
Location: Western Washington

Re: how about enabling TLS on your Assignment Servers?

Post by Jesse_V »

lazyacevw wrote:It should still be added to the todo list. TLS is worldwide and widely adopted. At this point, it is unclear if the AS are overloaded due to bandwidth restrictions or actual resource limitations. If someone wanted to be malicious and operate a killer bitcoin mining botnet or get hecka points, they could MITM and send their own work.
It's a good idea, I agree.

The servers are overloaded in multiple ways. Today for example they were serving about 104,000 workunits/hour, which is about 30 units/second. Workunits are maybe 10-50 MB. That's a lot of bandwidth and a lot of I/O. A few months ago they were serving about 10,000 workunits/hour.

I don't see any motivation for a man-in-the-middle attack because you can't buy anything with points. All that the attacker would be able to do is secretly submit a bunch of bad workunits, which would quite likely be caught by the server's integrity checks and resubmitted to someone else.
F@h is now the top computing platform on the planet and nothing unites people like a dedicated fight against a common enemy. This virus affects all of us. Lets end it together.
Joe_H
Site Admin
Posts: 7927
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: how about enabling TLS on your Assignment Servers?

Post by Joe_H »

In addition, all of the WU's and other files passed over the connections are digitally signed, so someone attempting to insert their own files would have trouble doing so. Raw IP numbers are used for many of the connections, they are harder to spoof for MITM attacks.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Asgaroth
Posts: 29
Joined: Sun Dec 09, 2018 12:06 am

Re: how about enabling TLS on your Assignment Servers?

Post by Asgaroth »

Not to mention the cipher settings required to configure ssl/tls on the edge to support all the different versions of operating systems/browsers out there, may indeed defeat the purpose of enabling secure protocols in the first place seeing that there are vulnerabilities available for most security protocols excluding, for now, tls v1.3
There are two major products that came out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson
cveiche
Posts: 1
Joined: Tue Mar 24, 2020 4:00 pm

Re: how about enabling TLS on your Assignment Servers?

Post by cveiche »

+1 to this.
setting up https is fairly non-invasive and has very low overhead. since the jobs and binaries (i.e., cores{dot}foldingathome{dot}org) are distributed in the clear, it seems that a mitm or dns takeover could possibly be used to take over FAHClient instances.
Abu Jazar
Posts: 1
Joined: Tue Mar 24, 2020 8:20 pm

Re: how about enabling TLS on your Assignment Servers?

Post by Abu Jazar »

+1f

Common crypto algorithms used by TLS is basically «free» on modern CPUs.

Also: TLS and work unit distribution/reception should probably be implemented on a load balancer rather than talking to each individual server. Also, port 8080 is blocked by a lot of default firewall configs. I just noticed it might be possible to report these as issues on Folding@home's GitHub, I'll look into it : ) (Can't post link because I've been quarantined, that is, by the forum, not by Covid-19).
lazyacevw
Posts: 35
Joined: Tue Mar 17, 2020 8:12 pm

Re: how about enabling TLS on your Assignment Servers?

Post by lazyacevw »

Glad there is a discussion on this. All I can say is that a few months ago before volunteer clients came on board, this whole operation was run and designed by a bunch of good hearted individuals, designed to operate lean and mean. Now that the distributed computing system has more processing power than the top 7 supercomputers in the world, combined, it may find itself of interest to nation states that it is currently spanking.
jcoffland
Site Admin
Posts: 1018
Joined: Fri Oct 10, 2008 6:42 pm
Location: Helsinki, Finland
Contact:

Re: how about enabling TLS on your Assignment Servers?

Post by jcoffland »

The Assignment Server already supports TLS/https. It's the client software that uses http.
Cauldron Development LLC
http://cauldrondevelopment.com/
ipkh
Posts: 173
Joined: Thu Jul 16, 2015 2:03 pm

Re: how about enabling TLS on your Assignment Servers?

Post by ipkh »

Port 80 just specifies that its a webserver and has nothing to do with encryption.
You connect to port 80 or 8080 if a proxy is setup on your home/office network. And then the server sets up the encryption and assigns the actual port mapping to use for further communications.
You might be confusing how other protocols, such as email, deal with encryption versus websites.
bren
Posts: 4
Joined: Mon Mar 16, 2020 4:42 pm

Re: how about enabling TLS on your Assignment Servers?

Post by bren »

jcoffland wrote:The Assignment Server already supports TLS/https.
yes I noticed it later, thanks.
But not all of them are correctly configured imho.
Take https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
jcoffland wrote: It's the client software that uses http.
Right, and I think it would be nice to have the option to force HTTPS over HTTP.
HaloJones
Posts: 906
Joined: Thu Jul 24, 2008 10:16 am

Re: how about enabling TLS on your Assignment Servers?

Post by HaloJones »

nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.

you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
single 1070

Image
Joe_H
Site Admin
Posts: 7927
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: how about enabling TLS on your Assignment Servers?

Post by Joe_H »

bren wrote:Take https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
Where do you see assign6 used? The AS's in current use are 1 & 2, there is a redirect from assign-cpu for compatibility with older versions of the client. Last I checked same held for assign3 & assign4 addresses.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Post Reply