Gridcoin Tutorial; Why SSL is so important for us
There has been many talks about SSL in the Gridcoin community the last few weeks. I will try to elaborate on the topic and why this is such an important thing for us.
The basic - How it all works
Gridcoin, as many of you know, is based on that "miners" crunch work for one of the whitelisted BOINC projects. BOINC in itself is a platform of its own and Gridcoin has no direct control in how it should work. Every day the Gridcoin network collects, files and compares how much work all of the users in the team has done and the network makes a consensus for the rewards.
The projects - Account security
All of the BOINC projects requires all of its users to sign up with an e-mail address and a password. The Gridcoin wallet requires you to use the same e-mail address for all the projects you want to get rewarded for since the network links that e-mail address with your CPID (Cross Platform ID) that BOINC creates. When you have several projects running you usually use a Project Manager, like BOINCStats. The Project Manger helps you make sure you sign up to projects with the same CPID and also lets you control all your BOINC clients in one place. You get controls to tell your clients what project to run, how much CPU/GPU to use and when to use it. Imagine this account login got in the wrong hands
The security risk - What MITM is all about.
The risk of not running a SSL is that every time your BOINC clients talks to the Project Manager or project, your credentials are sent over the internet in plain text, visible to anyone with the right tools or on the right place, this is called a "Man in the Middle"-attack. There are a few different scenarios:
- You are connected to an open network and this usually has no encryption. Anyone with the right equipment can read what is transmitted from your machine to the router.
- You are using a "free" internet that is publicly available. The provider of this free service can see all the traffic and can gather intel and habits on your usage. They can see what is transmitted.
- You are connected to a network with a system admin that monitors the network. This system admin will be able to see what is transmitted, including your credentials.
- The authorities monitor the traffic. They are able to see what is transmitted, including your credentials.
You can see the picture here. Any part of the road that your traffic is routed trough can potentially be monitored, intercepted and manipulated. There is no way to know how you could be affected, but there are risks out there. Your data can be manipulated. If your traffic is monitored and read it can be manipulated to, meaning that they can alter the data sent out to a project telling them other things than what your computer sends out.
The solution - Where SSL comes in
The solution to this problem has been around since a very long time and is called SSL (Secure Socket Layer). SSL means that anything your computer transmits is encrypted before it is sent out. The only thing visible to anyone monitoring the traffic is where the data is sent, the rest is an encrypted string of data and highly impossible to decode without the right keys. This is a solution that most of the time is not costly, there are many places that give out free SSL certificates that are just as good as one you pay for, it still encrypts the data. The ones that are paid for are usually bigger SSL issuer that also makes sure that the one that gets the certificate also is the one it sais it is. SSL has become more popular and today isn't costly and easy to implement.
Why this is so important to the Gridcoin community
The main reason for Gridcoin to enforce SSL is because we want to secure Your accounts. We are a big player in many projects and if a topic is of great concern to us we raise our voice and expect to be heard.
What you can do
You should first look if the projects you are interested in are risking to be delisted because of SSL certificate issues in the projects forum. You should raise your voice and contact the projects admins regarding your concern about MITM attacks and your own security. If the project is not implementing, or denies the request, it risks getting voted our of the whitelist. The goal is not to vote out projects and leave them, we embrace all projects that are good and gives good value to the community, but we value Your security more than anything.
Thanks for your contribution to the community, the world and science.
You are spot on with this article and deserve credit for warning folks. It's really not that hard to implement a BSD based firewall on your system like ClearOS or SmoothWall. Would provide some protection and if you reach out to either of their communities, they'll help you to customize it.
Thanks vegascomic!
I'm trying to make people aware of the discussion we're having and at the same time raise a red flag for everyone since this is not just a problem for the Gridcoin team. It's something that everyone should be aware of.
I can at the same time tip everyone about a project called JAP (Just Another Privacy). This project is comparable to TOR, but it's nothing like it. If you are interested in your Privacy online I can recommend looking at it.
You don't even need a crypto-coin to execute MITM attack.
The vulnerability is in the human brain.
I'm giving the view of MITM attack from the Gridcoin perspective, don't say it's crypto-coin only. SSL should be standard everywhere in my opinion, together with signed e-mail traffic.
I know Gridcoin exists and will continue to exist in the foreseeable future. But what are the efficiencies of this project?
It's proof of stake, that's a massive efficiency over proof of work cryptos.
How does it fix inflation?
@ubg : It doesn't "fix inflation", it has inbuilt inflation of approx 5% per year.
Outcome of the Gridcoin SSL poll
With 111,304,097 of 760,444,832 (14.637%) of total vote weight participating, the outcome was to NOT enforce SSL encryption as a mandatory whitelist requirement.
Poll data taken from current wallet information. The reason GridResearchCorp, that the above chart is taken from, has more shares I'm not sure of.
So, I'll jump right in and bring this interesting chunk of information I came across today whilst working on Project Rain:
Source: https://boinc.berkeley.edu/new_setup.php
Let's process that chunk of information quickly:
I was thinking, this account key is also known as an 'authenticator' which is randomly generated upon account creation - an additional security feature would be providing BOINC users the ability to apply for a new authenticator code through the project website. I'll look into this for project rain.