Closed skcin closed 4 years ago
Comment by grctest Tuesday Apr 11, 2017 at 21:41 GMT
Relevant security issues: https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/78 https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/102 https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/105 https://github.com/BOINC/boinc/issues/1644
Comment by Erkan-Yilmaz Sunday May 14, 2017 at 15:41 GMT
We talked about the email validation by the BOINC server also in our 8th interview (series: "talking with BOINC admins"), see the 2nd part of the interview.
https://github.com/marius311/boinc/commit/2c2ace80fcc850ced90342e328cfac880e2bc00b
Marius from cosmology@home began working on this, we can safely remove the account-key web authentication mechanism and implement a replacement email password recovery mechanism.
Issue by grctest Tuesday Apr 11, 2017 at 21:29 GMT Originally opened as https://github.com/Erkan-Yilmaz/Gridcoin-tasks/issues/106
Improving BOINC security: Account Keys!
What are account keys?
Account keys enable your BOINC client to continue crunching with your account regardless of email or password changes. You can also log into an individual BOINC project account given the user's account key.
Whilst account keys are handy for users with many computers (saves time logging into each machine) or handy for project admins (no computation downtime due to users changing passwords), they pose an extreme security risk within the BOINC community.
Why are account keys risky?
Who knows my email address?
PSA: Do you know who your team founder is? Have you hidden your email yet?
Within the Gridcoin team 99% of users have not hidden their email, this is potentially the same case across the entire BOINC community.
Who/what has access to my account keys?
Why care about permanent account compromise?
There are many reasons, it's not a good thing.
How can I minimize risk?
Thoughts?
IMO, the complete removal of account keys would be desirable. We shouldn't expose this large a risk so that a few have an easier time maintaining their BOINC environments.