Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

[Site] Your Website Doesn't Use Ssl/https


Recommended Posts

Crowfall Team,

 

I'm excited for this game. It looks like it's going to be awesome!

 

However, I went to order a starter package, and found that the website doesn't use SSL/https (requests/responses are not at all encrypted). This is the most basic security feature required for private/secure data transfer, and is the first item on the checklist of building any online store, or login capabilities.

 

Please fix it immediately, if not for me, for all the data theft that will result from it.

 

Here's where you can get an affordable SSL certificate. Let me know if you need help getting it set up properly.

 

- Tonkah

Link to comment
Share on other sites

Tonkah - I looked at the site and when you actually hit the green buy now button it's got a popup window that is generated from here:

 

script src= " h t t p s:// payplus.lgelements . c o m /paywall-payplus2.0/payplusprod/cashin/public//js//require.js"  data-main="view/purchase"  (I threw some space in there so the board autoformat would stop abbreviating the code)

 

The tech is a paypal popup and info is secure when typed into the popup window.

 

Once the popup window asks for the CC just right click and choose inspect element.  You can find the script in there.

Edited by Oridi

pixS8Wt.jpg


The Chronicles of Crowfall           The Free Lands of Azure            RIP Doc Gonzo.

Link to comment
Share on other sites

Glad to hear that the security risk for the credit card data is minimized. It's still super-easy to hijack sessions on crowfall.com, however. I highly recommend installing an SSL cert.

Link to comment
Share on other sites

I have to agree with Tonkah.  CF resources that require any sort of authentication to player accounts should definitely require SSL at a bare minimum.  This especially includes the forums and website accounts.  This is a huge security risk and something that Ace doesn't want to experience even before Alpha starts.

 

This definitely makes me uncomfortable and I could have sworn there used to be an active SSL in place.  This really needs to be a high priority before the KS pledges are merged with the CF accounts, or many of us will risk losing our backer rewards, which will be a serious issue.

> Suddenly, a Nyt appears in the discussion...

Link to comment
Share on other sites

Agreed with this; especially prior to KS account pledge merges happen.

 

If they don't get this resolved soon, I'm going to log out of my website account and not log back in until they have it secured.  There is currently way too much risk.

 

I'm also a little disappointed that there has been no response on the subject.

Edited by Nyt

> Suddenly, a Nyt appears in the discussion...

Link to comment
Share on other sites

Here's the response from our web team, it matched my understanding but I wanted it to be accurate:

 

All website requests to the systems that do indeed require SSL are already doing so. Those systems cannot talk over unsecured (HTTP for example) protocols. The majority of the website is unencrypted as it does not contain any sensitive information. Whenever a request is made to the systems that handle secure information, this is always run over HTTPS.

Gordon Walton, ArtCraft Entertainment, Inc.  [Rules of Conduct]

Follow us on Twitter @CrowfallGame | Like us on Facebook

 

Link to comment
Share on other sites

Here's the response from our web team, it matched my understanding but I wanted it to be accurate:

 

All website requests to the systems that do indeed require SSL are already doing so. Those systems cannot talk over unsecured (HTTP for example) protocols. The majority of the website is unencrypted as it does not contain any sensitive information. Whenever a request is made to the systems that handle secure information, this is always run over HTTPS.

 

That is a huge relief.  I'll have to pay attention next time I log into the Account portion on the front page.

 

 

Link to comment
Share on other sites

Here's the response from our web team, it matched my understanding but I wanted it to be accurate:

 

All website requests to the systems that do indeed require SSL are already doing so. Those systems cannot talk over unsecured (HTTP for example) protocols. The majority of the website is unencrypted as it does not contain any sensitive information. Whenever a request is made to the systems that handle secure information, this is always run over HTTPS.

 

I further investigated and tested, it appears everything IS getting submitted to an API (api.epicdata.io) in the background, over SSL... regardless if the website is viewed with SSL or not.  The forums are using the same account login now as well, which is maintained in a backend session on the server.  This is a relief, thank you.

 

This JUST started working... been testing daily.  :)

> Suddenly, a Nyt appears in the discussion...

Link to comment
Share on other sites

While combing around in the source for the login button, I came across this error:
 
loginerror_zps7y9wzkzy.png
 
HTML definitely isn't my forte, but it looks like the login popup isn't secure.
 
EDIT: Whoops, looks like the site scaled it. The error says:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

Edited by txteclipse
Link to comment
Share on other sites

HTML definitely isn't my forte, but it looks like the login popup isn't secure.

 

EDIT: Whoops, looks like the site scaled it. The error says:

Password fields present on an insecure (http://) page. This is a security risk that allows user login credentials to be stolen.

It's been a while, but I don't see how it would be a concern if it's input on an unsure page.  All that should matter is how the form data (your username/password) is submitted, and if what Nyt said is true, then you shouldn't have any problems.

 

But again it's been a while, so I could be wrong.

[@--(o.O)@]

Link to comment
Share on other sites

It's been a while, but I don't see how it would be a concern if it's input on an unsure page.  All that should matter is how the form data (your username/password) is submitted, and if what Nyt said is true, then you shouldn't have any problems.

 

But again it's been a while, so I could be wrong.

 

C3do13Y.png

 

I also confirmed it using Wireshark and they are using a valid SSL certificate for the transmission.

Edited by Nyt

> Suddenly, a Nyt appears in the discussion...

Link to comment
Share on other sites

Just FYI, securing a webpage does not only mean encrypting the data the user sends to the server. It also proves to the user that the page/form they are entering information into comes from a trusted source. Whole pages are encrypted with HTTPS so that users do not send their credentials to Man in the Middle attacks.

 

As an example, this is the partial page that is loaded into the modal when the user clicks LOGIN on the main page: http://crowfall.com/partial/login-simple.html. Is this HTML being retrieved via HTTPS? If not, then a third party could be sending me a form that saves my username & password. I cannot verify that the form is coming from an entrusted source.

Link to comment
Share on other sites

Just FYI, securing a webpage does not only mean encrypting the data the user sends to the server. It also proves to the user that the page/form they are entering information into comes from a trusted source. Whole pages are encrypted with HTTPS so that users do not send their credentials to Man in the Middle attacks.

 

As an example, this is the partial page that is loaded into the modal when the user clicks LOGIN on the main page: http://crowfall.com/partial/login-simple.html. Is this HTML being retrieved via HTTPS? If not, then a third party could be sending me a form that saves my username & password. I cannot verify that the form is coming from an entrusted source.

There we go.  I kept saying I knew it had been a while because I knew I was forgetting something.

 

Someone take away my CEH certification.

[@--(o.O)@]

Link to comment
Share on other sites

If the forums don't use SSL, and you can get banned from the game by getting banned in the forums a hacker could get people banned from the game by getting them banned from the website.

 

Everything needs to be SSL methinks

Edited by kroked
Link to comment
Share on other sites

Gee, encryption isn't the end of all means solution. I'm working with security sensitive data every day and while an encryption certainly helps, making sure that the database of a system is in itself secured against as many types of injections / privilege escalations as possible is even more important. Being on an encrypted website has NO effect on the chance of being hacked like that.

 

So far, the Crowfall forums are based on the Invision-Services (aka IP.Board) which is in itself rather sophisticated in regards to security and penetration resistance.

The hype around being on a fully encrypted net (which also makes you yourself easier to track btw) won't do any good for the security of our data here.

 

The best way to keep your info secure is don't being dumb enough to spread it all over the internet. Use a unique set of credentials for every page. Use long but easy to remember passwords (they don't need to be cryptic. Just long enough that they are not easy to guess. I tend to use concatinated sentences with a unique aspect per site like 'thisismeanttobemypasswordforcrowfall'). The current hashing methods rely more on content than on strength per position. The longer your password the more content to encrypt it with. And if you happen to be using a mail provider that can deal with aliases you can even have unique mail addresses for each website without too much hassle.

Link to comment
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...