| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Support
Forum: Suggestions / Feedback
Thread: Migrate WCG BOINC url and web_url to https for more corporate buy-in |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 6
|
|
| Author |
|
|
hchc
Veteran Cruncher USA Joined: Aug 15, 2006 Post Count: 735 Status: Offline Project Badges: 
|
Looking at GlassWire for Windows, my BOINC client only connects to WCG via scheduler.worldcommunitygrid.org over 443/tcp (https), but the official WCG URL and Web_URL are still using the antiquated URLs from 2004ish.
----------------------------------------(from all_projects_list.xml) <url>http://www.worldcommunitygrid.org/</url> <web_url>http://www.worldcommunitygrid.org/</web_url> (from account_www.worldcommunitygrid.org.xml) <master_url>http://www.worldcommunitygrid.org/</master_url> The Rosetta@home project recently changed the project URLs within BOINC to https. Would it be feasible for WCG to do the same? I'm not sure if coordination needs to happen with a new BOINC release (to update all_projects_list.xml) or if any other moving pieces need to be coordinated or if this is simply a matter of communication and execution. I know far too many mindless corporate InfoSec people who wouldn't hesitate to red light WCG without diving any deeper, even if I "tell" them that all traffic really goes over https only and show them packet captures. They won't care, since all they see is "http." Is the Level of Effort for such a change request pretty minor? Just curious, as I'd love to see more WCG modernization even if incrementally. Thanks for the consideration!
[Edit 2 times, last edit by hchc at Jun 20, 2020 3:08:00 PM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Think to have read it already enforced for certain actions. When for instance going to My Profile a green lcok appears left in the address bar and selecting ascertains a secured link. I've got HTTPS Everywhere browser add-in to enforce this, so maybe that is what I'm seeing.
----------------------------------------IIRC it's a reason why BOINCStats is not fully hooked up as they are http AFAIK. [Edit 1 times, last edit by Former Member at Jun 20, 2020 2:41:26 PM] |
||
|
|
hchc
Veteran Cruncher USA Joined: Aug 15, 2006 Post Count: 735 Status: Offline Project Badges:
|
I wasn't referring to the WCG website that a human would connect to with a web browser. Was referring to the <url>, <web_url>, and <master_url> to which the BOINC client connects. Even if the web farm or load balancer or whatever rewrites or redirects to 443/tcp https, the mere presence of "http" in config files is enough to turn off corporate types. Officially changing all those to https would be one less hurdle or obstacle into getting corporate buy-in to run WCG on a company's desktops, laptops, and servers.
----------------------------------------
[Edit 3 times, last edit by hchc at Jun 20, 2020 3:05:23 PM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
I know, and recollect https is not enforced for all BOINC traffic. Even if you put https in the string, it drops back to http quite soon.
|
||
|
|
Aurum
Master Cruncher The Great Basin Joined: Dec 24, 2017 Post Count: 2370 Status: Offline Project Badges: 
|
hchc, You may want to read this discussion:
----------------------------------------BOINC should push projects to use HTTPS for better security #1345 https://github.com/BOINC/boinc/issues/1345 and https://github.com/BOINC/boinc/pull/2716   ...KRI please cancel all shadow-banning[Edit 1 times, last edit by Aurum420 at Jun 21, 2020 12:54:26 AM] |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
The Aspens replied in both threads and posts here too occasionally such as here https://www.worldcommunitygrid.org/forums/wcg/viewpostinthread?post=497113
|
||
|
|
|