Re: [boinc_dev] BOINC on Android Update

Tue, 12 Feb 2013 21:52:11 -0800 

Hi Rom,

Somewhat OT, but somewhat related....

> * Correct ca-bundle.crt is extracted
Ouch! Daggers in my eyes.

Do you really need to confer trust? The secure channel using a public
dns and a public ca hierarchy leaks like a sieve.

I gave a talk last week on the evils of trusting [foreign] DNS, PKI{X}
and public CAs (https://www.owasp.org/index.php/Virginia).

There are alternatives, if interested. For example, you could:
* supply the needed certificate root during provisioning
  - trust only one instead of many
* use a password authenticated key exchange (PAKE)
  - for example, Secure Remote Password (SRP)
* pin the server's expected certificate or public key
  - provide during provisioning

I also provided sample programs for public key pinning at the talk. It
includes Android, iOS, .Net, and OpenSSL. Its as easy as copy/paste.
It does not throw away SSL/TLS - it hardens the channel.

Jeff

On Wed, Feb 13, 2013 at 12:40 AM, Rom Walton <[email protected]> wrote:
> I've uploaded a new build:
> http://boinc.berkeley.edu/dl/boinc_7.0.51_arm-android-linux-gnu.apk
>
> This build has the following fixes:
> * Correct ca-bundle.crt is extracted from the installation package, SSL 
> connections should now work.
> * Client should now be able to track the temp and status of the battery and 
> suspend before overheating.
> * Client is now started in daemon mode.  Logs can be viewed from the shell.
> * Moved the projects tab before the tasks tab.
> * Settings tab has been renamed to preferences.
> * Enabled the messages tab, it'll display the client messages in the next 
> build.
> * The UI can now be used in landscape mode.
> * The Android setup package has the debug flag enabled right now.
>
> If you have the Android SDK installed, you can view the core client state by 
> executing:
> $ adb shell
> $ run-as edu.berkeley.boinc /system/bin/sh
>
> >From here you'll be logged in as the user account created for the BOINC 
> >application, the core client and data files are in the client subdirectory.
>
_______________________________________________
boinc_dev mailing list
[email protected]
http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev
To unsubscribe, visit the above URL and
(near bottom of page) enter your email address.

Reply via email to