Page 2 of 3
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 9:16 pm
by lazyacevw
HaloJones wrote:nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.
you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 9:26 pm
by Frogging101
Joe_H wrote:In addition, all of the WU's and other files passed over the connections are digitally signed, so someone attempting to insert their own files would have trouble doing so. Raw IP numbers are used for many of the connections, they are harder to spoof for MITM attacks.
This is the important fact that all the "+1" commenters have ignored. Input data
cannot be altered or replaced in transit and still be accepted by the client unless the attacker somehow has the private signing key. This also means that the cryptographic processing overhead only has to be paid once when the work unit is signed, rather than every single time that it is requested from the work server. You can say the overhead is negligible, but it is not zero, and it could potentially be significant when multiplied by the number of simultaneous requests.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 9:34 pm
by bren
Joe_H wrote:bren wrote:Take
https://assign6.foldingathome.org/ for example; in the cert you can read Common Name == 128.252.203.2 rather than Common Name == FQDN which is probably a mistake.
Where do you see assign6 used? The AS's in current use are 1 & 2, there is a redirect from assign-cpu for compatibility with older versions of the client. Last I checked same held for assign3 & assign4 addresses.
just went by while checking dns records of *.foldingathome.org. I noticed
https://assign6.foldingathome.org/ is responding with a weird certificate
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 9:49 pm
by FoldingFodder
Could the F@H client be used to compute other things, such as crypto-currencies?
I wonder if OP is concerned that someone could hijack F@H clients for something like crypto mining where it does have a monetary value. Just like they did a few years ago with crypto mining JS scripts on websites.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 9:51 pm
by PantherX
FoldingFodder wrote:Could the F@H client be used to compute other things, such as crypto-currencies?..
FAHClient doesn't do any processing of WUs. The FAHCore does it. FAHClient sends data to FAHCore and uploads/downloads WUs. FAHControl is the GUI version (with more details) which interacts with FAHClient.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 10:17 pm
by FoldingFodder
PantherX wrote:FoldingFodder wrote:Could the F@H client be used to compute other things, such as crypto-currencies?..
FAHClient doesn't do any processing of WUs. The FAHCore does it. FAHClient sends data to FAHCore and uploads/downloads WUs. FAHControl is the GUI version (with more details) which interacts with FAHClient.
This is semantics - remember this is in the noob section and at least some of the people here don't know the F@H terms - me included.
Let me reword...
Could the client side F@H software be used to compute other things, such as crypto-currencies?
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 10:30 pm
by uyaem
Uneducated guess, since i'm just a regular user and this is highly specialized towards the subject of dealing with large protein molecules:
No.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 10:34 pm
by Frogging101
lazyacevw wrote:
Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
Unless there's a credible threat model that isn't already addressed by the cryptographic signatures that are used already, I would say that adopting TLS is pointless. It would complicate the servers (certificate management and configuration), client (adds a dependency on a TLS library), and add overhead to each and every request that the server receives (session negotiation, key exchange, and encryption/decryption).
In order to argue that the costs are outweighed by the benefits, one needs to be able to specify what problems it would solve.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 10:41 pm
by Tohya
FoldingFodder wrote:
This is semantics - remember this is in the noob section and at least some of the people here don't know the F@H terms - me included.
Let me reword...
Could the client side F@H software be used to compute other things, such as crypto-currencies?
Short answer is no.
Long answer, it would require a modified client and a custom core capable of doing the work.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 10:50 pm
by bren
Frogging101 wrote:Unless there's a credible threat model that isn't already addressed by the cryptographic signatures that are used already, I would say that adopting TLS is pointless. It would complicate the servers (certificate management and configuration), client (adds a dependency on a TLS library), and add overhead to each and every request that the server receives (session negotiation, key exchange, and encryption/decryption).
In order to argue that the costs are outweighed by the benefits, one needs to be able to specify what problems it would solve.
Yes, I dunno what could go wrong. I just thought about this with a firewall administrator mindset.
I would allow what I know and drop what I don't
rather than drop what I know and allow any
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 11:12 pm
by PantherX
bren wrote:...I just thought about this with a firewall administrator mindset.
I would allow what I know and drop what I don't
rather than drop what I know and allow any
My take is what's the target audience of F@H... it is home users. How many home users have a dedicated hardware firewall? I would say not a lot.
However, my opinion is security done well with a plan (to implement, test, maintain and upgrade) is always much better than a security plan thrown at the last second or done for the sake of a check-box.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sat Apr 04, 2020 11:21 pm
by JimboPalmer
FoldingFodder wrote:Could the client side F@H software be used to compute other things, such as crypto-currencies?
Lets try to look at that.
Step 1) you either have to hack F@H web page or convince folks to download your altered client software.
Step 2 you would need to hard code faux assignment server addresses, as the client does not use DNS to find servers.
Step 3 You need to write a credible Assignment server.
Step 4 You need to write a Core that does crypto mining.
Step 5 You need to dummy up the stats server some way so no one wonders why they are not getting credit.
I think if you could do all 5, you could divert time from F@H. But if you had that kind of skill, why not just start your own Distributed Project? Then you have no oversight to fool?
Right this instant, there are a lot of F@H volunteers, but 2 weeks ago there weren't and there was no way to guess there would be a sudden rush of donors.
Re: how about enabling TLS on your Assignment Servers?
Posted: Sun Apr 05, 2020 2:40 pm
by FoldingFodder
Gotcha. Thanks Panther and Jimbo.
So essentially, adding TLS has absolutely no benefit at all since the client side is specifically programmed for folding and it dials directly to F@H's Azure servers.
Right this instant, there are a lot of F@H volunteers, but 2 weeks ago there weren't and there was no way to guess there would be a sudden rush of donors.
I presume this is down to the media promoting F@H. Eg. i think LTT has the biggest following that i'm aware of and i think they've made 2 videos on F@H over the past 2-3 weeks?
Re: how about enabling TLS on your Assignment Servers?
Posted: Sun Apr 05, 2020 3:13 pm
by Neil-B
Just some random musings:
I don't think it was just the media promotion … I think it also includes the unparalleled situation the world finds itself in (obviously pandemics precede this but not in our "technological age") … The speed of communication plays into this - "the modern day grapevine" is massively powerful and efficient … The impact that COVID-19 is having on nearly everyone at a personal level means people really do want to help and actually have time to do so and get involved.
It is absolutely awesome the levels of support shown … and the progress made by the team in expanding the capability is brilliant.
On the one hand one could have "predicted" that people would flock to folding "at some point" - but predicting how people will react in the future is always fraught with issues … From a number of sources "word got out to the masses" and a massive (YAY) swell of support engulfed the project … add to that the fact that at many levels compute resource (usually busy with whatever day job it used to do) is suddenly idle and many people/organisations (at all levels - from home to multinational) are looking to do something useful with it, as the last few weeks have unfolded it was always going to be a case of all hands to the pumps catch up for the team - and I guess that isn't over yet.
I have no connections to the core team … but I can imagine myself, as a futures evangelist, sitting in front of an academic/venture capital funding board saying "You know what, there is the possibility that at some point the whole world is going to go into locked down and that a significant proportion of the worlds compute power will be pointed at our project … I therefore think you should fund us to have a whole team of developers so that we can pre-emptively develop the software to work perfectly for all types of compute resource, and an infrastructure expansion programme so that we can serve a 10/20/100 fold increase in community - and whilst you are at it can you expand the pool of scientific researchers to be able to adequately task this massively expanded project"
Re: how about enabling TLS on your Assignment Servers?
Posted: Sun Apr 05, 2020 4:41 pm
by HaloJones
lazyacevw wrote:HaloJones wrote:nothing in this world is "free". using server CPU to encrypt data costs power and achieves what exactly? this data has no value to any other party. in twenty years there has never been an attack or attempt to steal data.
you are asking for a feature that has no benefit whatsoever and would require the encryption of vast amounts of data, costing cpu cycles that cost money.
Your computer is using CPU cycles to encrypt and decrypt this webpage. Every other computer in the world does too thousands of times a day and you don't see anyone complaining about wasting money. Your "no benefit whatsoever" claim is greatly flawed. Take a cybersecurity class or something.
I have built enterprise class ecommerce sites for twenty years. Sites that turn over in excess of a billion dollars a year. Do you know why we have encryption on everything? Because Google decided so. They decided to increase the rankings of secure pages and so now we encrypt every web page. We only used to encrypt pages like login, and my account and checkout. Now we encrypt the bloody help pages!
Why is it necessary to encrypt a news site? It isn't. The page that is shown to me when I look at the BBC is the same shown to everyone else and there is no value in it being encrypted. The pages on this forum are encrypted yet there is no need to be logged in to read them. They are encrypted because that's what we now do because Google said so.
My computer can and does encrypt and decrypt data for every page load. It's tiny and insignificant these days but imagine if you were serving a terabyte of data every day? In 80MB chunks. Not little web pages but stonking great chunks of data. In vast quantities. The load on that server would not be insignificant. It would be huge. The cpus would be hammered encrypting those data chunks. Which would slow down the delivery. And they'd need even more servers. All that costs money.
There is no benefit to FAH.