2016-09-07 18:34 GMT-03:00 CM <[email protected]>: > I do think password storage security within BOINC projects is of relevance, > alongside the other security issues you have raised. Would it make more > sense to handle the password hashing on the web server rather than the BOINC > client and to potentially encrypt the communications between the client and > server (on top of SSL)?
Oh sure it's of relevance. When I say it's irrelevant, I mean it's a bit silly to worry about having unbreakable glass in your house windows when the door is unlocked (or there is a wall missing) :) Ideally the BOINC client would use OAuth or something like that to login, that way information stored on a client wouldn't let you login to the website, and users could even revoke access to individual attached clients. And account keys should be killed. The problem is implementing stuff like that without breaking compatibility with everything everywhere... -- Nicolás _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
