NaCl Chrome Client Not Secure?

Moderators: Site Moderators, PandeGroup

NaCl Chrome Client Not Secure?

Postby rbxii3 » Sun Mar 24, 2019 1:14 am

The F@H Chrome client is showing a Not Secure certificate error when I open it. This issue is also present when the micro client is embedded on a website. Chrome considers it an "unsafe script", and requires manual unblocking by the user. Most likely, the SSL certificate is out of date.
rbxii3
 
Posts: 2
Joined: Sun Mar 24, 2019 1:09 am

Re: NaCl Chrome Client Not Secure?

Postby foldy » Sun Mar 24, 2019 8:38 am

I can see the same and it looks like the website does not use http(s) with ssl certificate but only http.
http://nacl.foldingathome.org/
So it needs to add https://nacl.foldingathome.org/ and just use the ssl certificate from https://foldingathome.org/
foldy
 
Posts: 1446
Joined: Sat Dec 01, 2012 3:43 pm

Re: NaCl Chrome Client Not Secure?

Postby MeeLee » Sun Mar 24, 2019 6:21 pm

It shows as unsafe with me too, but runs the program just fine.

I don't think there's any significant data being transferred between the nacl client and the web anyway.
MeeLee
 
Posts: 208
Joined: Tue Feb 19, 2019 10:16 pm

Re: NaCl Chrome Client Not Secure?

Postby bruce » Sun Mar 24, 2019 10:51 pm

One by one, the folks who distribute browsers are warning you that you should use https: rather than http: although I don't see any risk of someone spying on your use of FAH's web client.
bruce
 
Posts: 22340
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.

Re: NaCl Chrome Client Not Secure?

Postby rbxii3 » Mon Mar 25, 2019 3:03 am

I'm not 100% sure about this, but isn't it possible that a malicious party could inject their own script in the place of the project, e.g. a cryptojacker? since there is no SSL certificate, there is no way to authenticate that you are connecting to the right server.
rbxii3
 
Posts: 2
Joined: Sun Mar 24, 2019 1:09 am

Re: NaCl Chrome Client Not Secure?

Postby Joe_H » Mon Mar 25, 2019 5:15 am

The client, and the servers only accept WU's that are digitally signed internally, and are coded to only connect to servers at specific network addresses. So your thought that there is no way to tell s not correct in actuality.

Remember, the regular desktop client is also using http connections for WU download and upload. They have been running securely over http connections for 15 years or so. Each WU is digitally signed with a 2048 bit signature, several times larger than the 256-bit TLS keys used by https.

F@h does have a security entry in their FAQ's, see this page - https://foldingathome.org/support/faq/miscellaneous/.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Joe_H
Site Admin
 
Posts: 4443
Joined: Tue Apr 21, 2009 4:41 pm
Location: W. MA

Re: NaCl Chrome Client Not Secure?

Postby foldy » Mon Mar 25, 2019 8:15 am

Still it should be easy to change the web server to use https as web browsers now want that so users do not get scared
foldy
 
Posts: 1446
Joined: Sat Dec 01, 2012 3:43 pm

Re: NaCl Chrome Client Not Secure?

Postby Joe_H » Mon Mar 25, 2019 2:39 pm

It is not an easy change. HTTP connections uses ports 80 and 8080, and those ports are open for connections to and from the F@h servers through the institutional firewalls of the participating members of the Folding@home Consortium. HTTPS uses port 443 as the default, there is no defined alternate port. That or whatever alternate port they set up would need to be enabled on the Assignment and Work Servers, and opened in the firewalls to those servers.

They would not be able to have the URL of the NaCl page be https and still connect over ports 80 or 8080 to the servers for WU's, the browsers would still flag the page as having a mix of secure and insecure connections.
Joe_H
Site Admin
 
Posts: 4443
Joined: Tue Apr 21, 2009 4:41 pm
Location: W. MA

Re: NaCl Chrome Client Not Secure?

Postby foldy » Mon Mar 25, 2019 7:01 pm

I see but mixed secure sounds better than unsecure if that is shown to users in chrome browser then. And that would be easy when WS can stay unchanged.
foldy
 
Posts: 1446
Joined: Sat Dec 01, 2012 3:43 pm

Re: NaCl Chrome Client Not Secure?

Postby bruce » Mon Mar 25, 2019 7:04 pm

The message is coming from Chrome, not from FAH. You'll have to figure out how to convince Google that they shouldn't issue the message in this particular case.
bruce
 
Posts: 22340
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.


Return to NaCl client (Chrome);

Who is online

Users browsing this forum: No registered users and 1 guest

cron