| Index | Recent Threads | Unanswered Threads | Who's Active | Guidelines | Search |
 |
World Community Grid Forums
Category: Support
Forum: Website Support
Thread: Old TLS protocol versions and low-grade TLS ciphers on the WCG website... |
| No member browsing this thread |
|
Thread Status: Active Total posts in this thread: 2
|
|
| Author |
|
|
debrouxl
Advanced Cruncher France Joined: Dec 31, 2004 Post Count: 61 Status: Offline Project Badges: 
|
It's been years since I posted on the WCG forum :)
----------------------------------------I'm not sure that this is the most appropriate section for such reports, but I'm sure moderators will move the topic where it belongs, if necessary. So... I'm writing because I recently installed the SSLeuth Firefox extension ( https://addons.mozilla.org/en-US/firefox/addon/ssleuth/ ). I have been using it to get some insight into encryption strength on the web sites that I attend... and, well, at 4.9/10, the WCG site receives one of the lowest marks that I've seen so far ;) This mark is mainly due to: * lack of TLS 1.1 and 1.2 support. This is confirmed by raising the security.tls.version.min parameter in Firefox's about:config: if set to 2 or higher, the browser refuses to connect to the WCG site, due to lack of common protocols between server and client; * lack of PFS cipher support (though TLS 1.0 supports several such ciphers): if I disable both RC4 and non-RC4, non-PFS ciphers globally through SSLeuth's popup, I can't reach the WCG site either, again due to lack of common protocols between server and client. It's true that many other sites on the Internet don't support 21st century ciphers yet (TLS 1.0, the best WCG supports, was published in 1999); however, many users now use browsers with TLS 1.1 and 1.2 support, and could enjoy better ciphers if the server configuration were improved :) |
||
|
|
Former Member
Cruncher Joined: May 22, 2018 Post Count: 0 Status: Offline |
Just because you "could enjoy better ciphers", does not mean it carries any added value. The security policies of WCG as falling under the cover of IBM are extensive, in fact WCG as the only BOINC project utilizes https as first level connection feature. For an introductory on security for members who don't feel safe, read this: http://www.worldcommunitygrid.org/wb/viewInfoAll.do#sec
Some of the statistical data have aged, where 2.2 billion results have now been exchanged and over 1 million runtime years have been contributed. No security violation has ever occurred, but as is IBM policy, never make anyone the wiser. Only share on a "need to know" basis. If you want to sleuth for actual weaknesses, sleuth away. As it is, IBM is way ahead of you with in security assessment "including engaging 'Ethical Hackers' to ensure that the entire system is secure". Have a safe crunch. BTW, think the latest (open)SSL was implement in newest BOINC clients since Heartbleed and the like came along. |
||
|
|
|