how about enabling TLS on your Assignment Servers?
Moderators: Site Moderators, FAHC Science Team
how about enabling TLS on your Assignment Servers?
from the logs, I read the client is connecting to remote servers on port 80 and 8080.
I guess it would be nice to have protocol HTTPS enabled rather than HTTP.
Could you please set it up?
Thanks
I guess it would be nice to have protocol HTTPS enabled rather than HTTP.
Could you please set it up?
Thanks
-
- Site Moderator
- Posts: 2850
- Joined: Mon Jul 18, 2011 4:44 am
- Hardware configuration: OS: Windows 10, Kubuntu 19.04
CPU: i7-6700k
GPU: GTX 970, GTX 1080 TI
RAM: 24 GB DDR4 - Location: Western Washington
Re: how about enabling TLS on your Assignment Servers?
It's a good idea, but I don't see a necessity for it. There's not many secrets in the F@h data and I don't see much impact from talking to a impersonating server or a man-in-the-middle system.
F@h is also an international project and I believe that there are issues exporting cryptography to certain countries depending on export laws from the 1990s. Other countries may have issues with encrypted connections to a research lab without the ability to inspect the traffic. There's a lot of little tangles there.
F@h is also an international project and I believe that there are issues exporting cryptography to certain countries depending on export laws from the 1990s. Other countries may have issues with encrypted connections to a research lab without the ability to inspect the traffic. There's a lot of little tangles there.
F@h is now the top computing platform on the planet and nothing unites people like a dedicated fight against a common enemy. This virus affects all of us. Lets end it together.
-
- Posts: 2522
- Joined: Mon Feb 16, 2009 4:12 am
- Location: Greenwood MS USA
Re: how about enabling TLS on your Assignment Servers?
The assignment servers are overloaded as is, deciding to implement Crypto on them can't possibly speed them up.
Tsar of all the Rushers
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
Re: how about enabling TLS on your Assignment Servers?
It should still be added to the todo list. TLS is worldwide and widely adopted. At this point, it is unclear if the AS are overloaded due to bandwidth restrictions or actual resource limitations. If someone wanted to be malicious and operate a killer bitcoin mining botnet or get hecka points, they could MITM and send their own work.
-
- Site Moderator
- Posts: 2850
- Joined: Mon Jul 18, 2011 4:44 am
- Hardware configuration: OS: Windows 10, Kubuntu 19.04
CPU: i7-6700k
GPU: GTX 970, GTX 1080 TI
RAM: 24 GB DDR4 - Location: Western Washington
Re: how about enabling TLS on your Assignment Servers?
It's a good idea, I agree.lazyacevw wrote:It should still be added to the todo list. TLS is worldwide and widely adopted. At this point, it is unclear if the AS are overloaded due to bandwidth restrictions or actual resource limitations. If someone wanted to be malicious and operate a killer bitcoin mining botnet or get hecka points, they could MITM and send their own work.
The servers are overloaded in multiple ways. Today for example they were serving about 104,000 workunits/hour, which is about 30 units/second. Workunits are maybe 10-50 MB. That's a lot of bandwidth and a lot of I/O. A few months ago they were serving about 10,000 workunits/hour.
I don't see any motivation for a man-in-the-middle attack because you can't buy anything with points. All that the attacker would be able to do is secretly submit a bunch of bad workunits, which would quite likely be caught by the server's integrity checks and resubmitted to someone else.
F@h is now the top computing platform on the planet and nothing unites people like a dedicated fight against a common enemy. This virus affects all of us. Lets end it together.
-
- Site Admin
- Posts: 7936
- Joined: Tue Apr 21, 2009 4:41 pm
- Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2 - Location: W. MA
Re: how about enabling TLS on your Assignment Servers?
In addition, all of the WU's and other files passed over the connections are digitally signed, so someone attempting to insert their own files would have trouble doing so. Raw IP numbers are used for many of the connections, they are harder to spoof for MITM attacks.
iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Re: how about enabling TLS on your Assignment Servers?
Not to mention the cipher settings required to configure ssl/tls on the edge to support all the different versions of operating systems/browsers out there, may indeed defeat the purpose of enabling secure protocols in the first place seeing that there are vulnerabilities available for most security protocols excluding, for now, tls v1.3
There are two major products that came out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson
-- Jeremy S. Anderson
Re: how about enabling TLS on your Assignment Servers?
+1 to this.
setting up https is fairly non-invasive and has very low overhead. since the jobs and binaries (i.e., cores{dot}foldingathome{dot}org) are distributed in the clear, it seems that a mitm or dns takeover could possibly be used to take over FAHClient instances.
setting up https is fairly non-invasive and has very low overhead. since the jobs and binaries (i.e., cores{dot}foldingathome{dot}org) are distributed in the clear, it seems that a mitm or dns takeover could possibly be used to take over FAHClient instances.
Re: how about enabling TLS on your Assignment Servers?
+1f
Common crypto algorithms used by TLS is basically «free» on modern CPUs.
Also: TLS and work unit distribution/reception should probably be implemented on a load balancer rather than talking to each individual server. Also, port 8080 is blocked by a lot of default firewall configs. I just noticed it might be possible to report these as issues on Folding@home's GitHub, I'll look into it : ) (Can't post link because I've been quarantined, that is, by the forum, not by Covid-19).
Common crypto algorithms used by TLS is basically «free» on modern CPUs.
Also: TLS and work unit distribution/reception should probably be implemented on a load balancer rather than talking to each individual server. Also, port 8080 is blocked by a lot of default firewall configs. I just noticed it might be possible to report these as issues on Folding@home's GitHub, I'll look into it : ) (Can't post link because I've been quarantined, that is, by the forum, not by Covid-19).
Re: how about enabling TLS on your Assignment Servers?
Glad there is a discussion on this. All I can say is that a few months ago before volunteer clients came on board, this whole operation was run and designed by a bunch of good hearted individuals, designed to operate lean and mean. Now that the distributed computing system has more processing power than the top 7 supercomputers in the world, combined, it may find itself of interest to nation states that it is currently spanking.
-
- Site Admin
- Posts: 1018
- Joined: Fri Oct 10, 2008 6:42 pm
- Location: Helsinki, Finland
- Contact:
Re: how about enabling TLS on your Assignment Servers?
The Assignment Server already supports TLS/https. It's the client software that uses http.
Cauldron Development LLC
http://cauldrondevelopment.com/
http://cauldrondevelopment.com/
Re: how about enabling TLS on your Assignment Servers?
Port 80 just specifies that its a webserver and has nothing to do with encryption.
You connect to port 80 or 8080 if a proxy is setup on your home/office network. And then the server sets up the encryption and assigns the actual port mapping to use for further communications.
You might be confusing how other protocols, such as email, deal with encryption versus websites.
You connect to port 80 or 8080 if a proxy is setup on your home/office network. And then the server sets up the encryption and assigns the actual port mapping to use for further communications.
You might be confusing how other protocols, such as email, deal with encryption versus websites.
Re: how about enabling TLS on your Assignment Servers?
yes I noticed it later, thanks.jcoffland wrote:The Assignment Server already supports TLS/https.
But not all of them are correctly configured imho.
Take https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
Right, and I think it would be nice to have the option to force HTTPS over HTTP.jcoffland wrote: It's the client software that uses http.
Re: how about enabling TLS on your Assignment Servers?
nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.
you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
single 1070
-
- Site Admin
- Posts: 7936
- Joined: Tue Apr 21, 2009 4:41 pm
- Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2 - Location: W. MA
Re: how about enabling TLS on your Assignment Servers?
Where do you see assign6 used? The AS's in current use are 1 & 2, there is a redirect from assign-cpu for compatibility with older versions of the client. Last I checked same held for assign3 & assign4 addresses.bren wrote:Take https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3