how about enabling TLS on your Assignment Servers?

If you're new to FAH and need help getting started or you have very basic questions, start here.

Moderators: Site Moderators, FAHC Science Team

lazyacevw
Posts: 35
Joined: Tue Mar 17, 2020 8:12 pm

Re: how about enabling TLS on your Assignment Servers?

Post by lazyacevw »

HaloJones wrote:nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.

you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
Frogging101
Posts: 78
Joined: Wed Mar 25, 2020 2:39 am
Location: Canada

Re: how about enabling TLS on your Assignment Servers?

Post by Frogging101 »

Joe_H wrote:In addition, all of the WU's and other files passed over the connections are digitally signed, so someone attempting to insert their own files would have trouble doing so. Raw IP numbers are used for many of the connections, they are harder to spoof for MITM attacks.
This is the important fact that all the "+1" commenters have ignored. Input data cannot be altered or replaced in transit and still be accepted by the client unless the attacker somehow has the private signing key. This also means that the cryptographic processing overhead only has to be paid once when the work unit is signed, rather than every single time that it is requested from the work server. You can say the overhead is negligible, but it is not zero, and it could potentially be significant when multiplied by the number of simultaneous requests.
bren
Posts: 4
Joined: Mon Mar 16, 2020 4:42 pm

Re: how about enabling TLS on your Assignment Servers?

Post by bren »

Joe_H wrote:
bren wrote:Take https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
Where do you see assign6 used? The AS's in current use are 1 & 2, there is a redirect from assign-cpu for compatibility with older versions of the client. Last I checked same held for assign3 & assign4 addresses.
just went by while checking dns records of *.foldingathome.org. I noticed https://assign6.foldingathome.org/ is responding with a weird certificate
FoldingFodder
Posts: 44
Joined: Sat Apr 04, 2020 6:07 pm

Re: how about enabling TLS on your Assignment Servers?

Post by FoldingFodder »

Could the F@H client be used to compute other things, such as crypto-currencies?

I wonder if OP is concerned that someone could hijack F@H clients for something like crypto mining where it does have a monetary value. Just like they did a few years ago with crypto mining JS scripts on websites.
PantherX
Site Moderator
Posts: 6986
Joined: Wed Dec 23, 2009 9:33 am
Hardware configuration: V7.6.21 -> Multi-purpose 24/7
Windows 10 64-bit
CPU:2/3/4/6 -> Intel i7-6700K
GPU:1 -> Nvidia GTX 1080 Ti
§
Retired:
2x Nvidia GTX 1070
Nvidia GTX 675M
Nvidia GTX 660 Ti
Nvidia GTX 650 SC
Nvidia GTX 260 896 MB SOC
Nvidia 9600GT 1 GB OC
Nvidia 9500M GS
Nvidia 8800GTS 320 MB

Intel Core i7-860
Intel Core i7-3840QM
Intel i3-3240
Intel Core 2 Duo E8200
Intel Core 2 Duo E6550
Intel Core 2 Duo T8300
Intel Pentium E5500
Intel Pentium E5400
Location: Land Of The Long White Cloud
Contact:

Re: how about enabling TLS on your Assignment Servers?

Post by PantherX »

FoldingFodder wrote:Could the F@H client be used to compute other things, such as crypto-currencies?..
FAHClient doesn't do any processing of WUs. The FAHCore does it. FAHClient sends data to FAHCore and uploads/downloads WUs. FAHControl is the GUI version (with more details) which interacts with FAHClient.
ETA:
Now ↞ Very Soon ↔ Soon ↔ Soon-ish ↔ Not Soon ↠ End Of Time

Welcome To The F@H Support Forum Ӂ Troubleshooting Bad WUs Ӂ Troubleshooting Server Connectivity Issues
FoldingFodder
Posts: 44
Joined: Sat Apr 04, 2020 6:07 pm

Re: how about enabling TLS on your Assignment Servers?

Post by FoldingFodder »

PantherX wrote:
FoldingFodder wrote:Could the F@H client be used to compute other things, such as crypto-currencies?..
FAHClient doesn't do any processing of WUs. The FAHCore does it. FAHClient sends data to FAHCore and uploads/downloads WUs. FAHControl is the GUI version (with more details) which interacts with FAHClient.
This is semantics - remember this is in the noob section and at least some of the people here don't know the F@H terms - me included.

Let me reword...

Could the client side F@H software be used to compute other things, such as crypto-currencies?
uyaem
Posts: 219
Joined: Sat Mar 21, 2020 7:35 pm
Location: Esslingen, Germany

Re: how about enabling TLS on your Assignment Servers?

Post by uyaem »

Uneducated guess, since i'm just a regular user and this is highly specialized towards the subject of dealing with large protein molecules:
No.
Image
CPU: Ryzen 9 3900X (1x21 CPUs) ~ GPU: nVidia GeForce GTX 1660 Super (Asus)
Frogging101
Posts: 78
Joined: Wed Mar 25, 2020 2:39 am
Location: Canada

Re: how about enabling TLS on your Assignment Servers?

Post by Frogging101 »

lazyacevw wrote: Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
Unless there's a credible threat model that isn't already addressed by the cryptographic signatures that are used already, I would say that adopting TLS is pointless. It would complicate the servers (certificate management and configuration), client (adds a dependency on a TLS library), and add overhead to each and every request that the server receives (session negotiation, key exchange, and encryption/decryption).

In order to argue that the costs are outweighed by the benefits, one needs to be able to specify what problems it would solve.
Tohya
Posts: 48
Joined: Thu Feb 07, 2008 12:41 am

Re: how about enabling TLS on your Assignment Servers?

Post by Tohya »

FoldingFodder wrote:
This is semantics - remember this is in the noob section and at least some of the people here don't know the F@H terms - me included.

Let me reword...

Could the client side F@H software be used to compute other things, such as crypto-currencies?
Short answer is no.

Long answer, it would require a modified client and a custom core capable of doing the work.
bren
Posts: 4
Joined: Mon Mar 16, 2020 4:42 pm

Re: how about enabling TLS on your Assignment Servers?

Post by bren »

Frogging101 wrote:Unless there's a credible threat model that isn't already addressed by the cryptographic signatures that are used already, I would say that adopting TLS is pointless. It would complicate the servers (certificate management and configuration), client (adds a dependency on a TLS library), and add overhead to each and every request that the server receives (session negotiation, key exchange, and encryption/decryption).

In order to argue that the costs are outweighed by the benefits, one needs to be able to specify what problems it would solve.
Yes, I dunno what could go wrong. I just thought about this with a firewall administrator mindset.
I would allow what I know and drop what I don't
rather than drop what I know and allow any
PantherX
Site Moderator
Posts: 6986
Joined: Wed Dec 23, 2009 9:33 am
Hardware configuration: V7.6.21 -> Multi-purpose 24/7
Windows 10 64-bit
CPU:2/3/4/6 -> Intel i7-6700K
GPU:1 -> Nvidia GTX 1080 Ti
§
Retired:
2x Nvidia GTX 1070
Nvidia GTX 675M
Nvidia GTX 660 Ti
Nvidia GTX 650 SC
Nvidia GTX 260 896 MB SOC
Nvidia 9600GT 1 GB OC
Nvidia 9500M GS
Nvidia 8800GTS 320 MB

Intel Core i7-860
Intel Core i7-3840QM
Intel i3-3240
Intel Core 2 Duo E8200
Intel Core 2 Duo E6550
Intel Core 2 Duo T8300
Intel Pentium E5500
Intel Pentium E5400
Location: Land Of The Long White Cloud
Contact:

Re: how about enabling TLS on your Assignment Servers?

Post by PantherX »

bren wrote:...I just thought about this with a firewall administrator mindset.
I would allow what I know and drop what I don't
rather than drop what I know and allow any
My take is what's the target audience of F@H... it is home users. How many home users have a dedicated hardware firewall? I would say not a lot.

However, my opinion is security done well with a plan (to implement, test, maintain and upgrade) is always much better than a security plan thrown at the last second or done for the sake of a check-box.
ETA:
Now ↞ Very Soon ↔ Soon ↔ Soon-ish ↔ Not Soon ↠ End Of Time

Welcome To The F@H Support Forum Ӂ Troubleshooting Bad WUs Ӂ Troubleshooting Server Connectivity Issues
JimboPalmer
Posts: 2522
Joined: Mon Feb 16, 2009 4:12 am
Location: Greenwood MS USA

Re: how about enabling TLS on your Assignment Servers?

Post by JimboPalmer »

FoldingFodder wrote:Could the client side F@H software be used to compute other things, such as crypto-currencies?
Lets try to look at that.

Step 1) you either have to hack F@H web page or convince folks to download your altered client software.

Step 2 you would need to hard code faux assignment server addresses, as the client does not use DNS to find servers.

Step 3 You need to write a credible Assignment server.
Step 4 You need to write a Core that does crypto mining.
Step 5 You need to dummy up the stats server some way so no one wonders why they are not getting credit.

I think if you could do all 5, you could divert time from F@H. But if you had that kind of skill, why not just start your own Distributed Project? Then you have no oversight to fool?

Right this instant, there are a lot of F@H volunteers, but 2 weeks ago there weren't and there was no way to guess there would be a sudden rush of donors.
Tsar of all the Rushers
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
FoldingFodder
Posts: 44
Joined: Sat Apr 04, 2020 6:07 pm

Re: how about enabling TLS on your Assignment Servers?

Post by FoldingFodder »

Gotcha. Thanks Panther and Jimbo.

So essentially, adding TLS has absolutely no benefit at all since the client side is specifically programmed for folding and it dials directly to F@H's Azure servers.

Right this instant, there are a lot of F@H volunteers, but 2 weeks ago there weren't and there was no way to guess there would be a sudden rush of donors.
I presume this is down to the media promoting F@H. Eg. i think LTT has the biggest following that i'm aware of and i think they've made 2 videos on F@H over the past 2-3 weeks?
Neil-B
Posts: 1996
Joined: Sun Mar 22, 2020 5:52 pm
Hardware configuration: 1: 2x Xeon E5-2697v3@2.60GHz, 512GB DDR4 LRDIMM, SSD Raid, Win10 Ent 20H2, Quadro K420 1GB, FAH 7.6.21
2: Xeon E3-1505Mv5@2.80GHz, 32GB DDR4, NVME, Win10 Pro 20H2, Quadro M1000M 2GB, FAH 7.6.21 (actually have two of these)
3: i7-960@3.20GHz, 12GB DDR3, SSD, Win10 Pro 20H2, GTX 750Ti 2GB, GTX 1080Ti 11GB, FAH 7.6.21
Location: UK

Re: how about enabling TLS on your Assignment Servers?

Post by Neil-B »

Just some random musings:

I don't think it was just the media promotion … I think it also includes the unparalleled situation the world finds itself in (obviously pandemics precede this but not in our "technological age") … The speed of communication plays into this - "the modern day grapevine" is massively powerful and efficient … The impact that COVID-19 is having on nearly everyone at a personal level means people really do want to help and actually have time to do so and get involved.

It is absolutely awesome the levels of support shown … and the progress made by the team in expanding the capability is brilliant.

On the one hand one could have "predicted" that people would flock to folding "at some point" - but predicting how people will react in the future is always fraught with issues … From a number of sources "word got out to the masses" and a massive (YAY) swell of support engulfed the project … add to that the fact that at many levels compute resource (usually busy with whatever day job it used to do) is suddenly idle and many people/organisations (at all levels - from home to multinational) are looking to do something useful with it, as the last few weeks have unfolded it was always going to be a case of all hands to the pumps catch up for the team - and I guess that isn't over yet.

I have no connections to the core team … but I can imagine myself, as a futures evangelist, sitting in front of an academic/venture capital funding board saying "You know what, there is the possibility that at some point the whole world is going to go into locked down and that a significant proportion of the worlds compute power will be pointed at our project … I therefore think you should fund us to have a whole team of developers so that we can pre-emptively develop the software to work perfectly for all types of compute resource, and an infrastructure expansion programme so that we can serve a 10/20/100 fold increase in community - and whilst you are at it can you expand the pool of scientific researchers to be able to adequately task this massively expanded project" :idea: :D
2x Xeon E5-2697v3, 512GB DDR4 LRDIMM, SSD Raid, W10-Ent, Quadro K420
Xeon E3-1505Mv5, 32GB DDR4, NVME, W10-Pro, Quadro M1000M
i7-960, 12GB DDR3, SSD, W10-Pro, GTX1080Ti
i9-10850K, 64GB DDR4, NVME, W11-Pro, RTX3070

(Green/Bold = Active)
HaloJones
Posts: 906
Joined: Thu Jul 24, 2008 10:16 am

Re: how about enabling TLS on your Assignment Servers?

Post by HaloJones »

lazyacevw wrote:
HaloJones wrote:nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.

you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
I have built enterprise class ecommerce sites for twenty years. Sites that turn over in excess of a billion dollars a year. Do you know why we have encryption on everything? Because Google decided so. They decided to increase the rankings of secure pages and so now we encrypt every web page. We only used to encrypt pages like login, and my account and checkout. Now we encrypt the bloody help pages!

Why is it necessary to encrypt a news site? It isn't. The page that is shown to me when I look at the BBC is the same shown to everyone else and there is no value in it being encrypted. The pages on this forum are encrypted yet there is no need to be logged in to read them. They are encrypted because that's what we now do because Google said so.

My computer can and does encrypt and decrypt data for every page load. It's tiny and insignificant these days but imagine if you were serving a terabyte of data every day? In 80MB chunks. Not little web pages but stonking great chunks of data. In vast quantities. The load on that server would not be insignificant. It would be huge. The cpus would be hammered encrypting those data chunks. Which would slow down the delivery. And they'd need even more servers. All that costs money.

There is no benefit to FAH.
single 1070

Image
Post Reply