Official Forums for the Ultimate Economy Game



Jump to:  
Search for:
The Simunomics Forums require separate registration from the game itself. However, forums and chat use the same registration.

It is currently Sun Feb 16, 2020 7:24 pm (All times are UTC [ DST ])




Reply to topic  [ 7 posts ] 
Author Message
 Post subject: TLS/https
PostPosted: Wed Mar 29, 2017 1:46 am 

Joined: Aug 28, 2009
Posts: 1123
Location: Qo'noS
Offline
User avatarCorban Industries
Bug Swatter
it would be nice if the site could implement HSTS and HTTPS redirect by default instead.
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security

as you know browsers like mozilla and chrome report when entering credentials in non https site that its insecure. also when loading mix content it also causes issues with the https.

just a suggestion/technical security thing.

_________________
"The Simunomic's Dinosaur"
Local Tech Repair We do computer security research and help those protect them self and learn how blackhats work.


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Wed Mar 29, 2017 5:44 pm 
Developer

Joined: Feb 8, 2008
Posts: 2888
Offline
User avatarCommit to Excellence
Bellerive Chamber of Commerce
Two reasons we don't:

1) We're afraid of it being slower. Not a lot, but the protocol does an an extra layer that isn't necessary most of the time.
2) More importantly, chat is hosted on a different subdomain. We'd have to set up additional certificates requiring additional expense and/or time. Otherwise it's mixed content.

So we switch you to secure for ticket purchases and you can do it manually all the time if you want, but that's why we aren't pushing it yet. It's not a bad idea though, certainly.

_________________
"Please let me make my own mistakes? 'cause I really like to learn stuff." --Wise words from Hillside Cottage

Please read the rules. Have information? Why not write a guide?


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Sun Apr 09, 2017 3:58 am 

Joined: Apr 9, 2017
Posts: 3
Offline
User avatarThe Best Things, Inc.
I'd also like to express my concern that the login forms are not HTTPS-protected. I understand that Simunomics isn't exactly a high-profile target for intercepting user credentials, but there still is the issue that registration also occurs over HTTP, therefor emails and associated usernames and passwords are made available to anyone watching. If people re-use passwords, then that password is associated with their email now. It would really make me feel better if we had a secure login. :smile:


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Mon Apr 10, 2017 8:12 pm 
Developer

Joined: Feb 8, 2008
Posts: 2046
Location: Climbing up the shoulders of giants
Offline
User avatarAllmart
System Company
thegp1994 wrote:
I'd also like to express my concern that the login forms are not HTTPS-protected. I understand that Simunomics isn't exactly a high-profile target for intercepting user credentials, but there still is the issue that registration also occurs over HTTP, therefor emails and associated usernames and passwords are made available to anyone watching. If people re-use passwords, then that password is associated with their email now. It would really make me feel better if we had a secure login. :smile:

A very good point. My to-do list is pretty full at the moment but I'll see what I can do about moving everything to https.

BTW as a general rule, I advise tiering your passwords. Whatever password you use for someone like us might be a reasonable re-use on other small independent sites. But don't use it for your email or bank accounts or anything like that. Because I know that your information is properly salted and encrypted, but I can't prove that to you. For all you know, not only could data be at risk but I could be the bad guy myself, taking your info to do evil things with it.

Probably not a big risk for a long-running little browser game, but if you think of all the little sites around the web that require sign up just to read an article or view a deal then eventually someone will be a problem. So let dailygarbage.net have the same password you use for dealspam.com and they can impersonate you on each other but stay locked out of the big stuff.

(Then Yahoo will give away your email info for the 3rd time because they're idiots. But that's another matter.)


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Mon Apr 10, 2017 8:23 pm 

Joined: Apr 9, 2017
Posts: 3
Offline
User avatarThe Best Things, Inc.
Amarsir wrote:
A very good point. My to-do list is pretty full at the moment but I'll see what I can do about moving everything to https.


I really appreciate your dedication!

Amarsir wrote:
BTW as a general rule, I advise tiering your passwords. Whatever password you use for someone like us might be a reasonable re-use on other small independent sites. But don't use it for your email or bank accounts or anything like that. Because I know that your information is properly salted and encrypted, but I can't prove that to you. For all you know, not only could data be at risk but I could be the bad guy myself, taking your info to do evil things with it.

Probably not a big risk for a long-running little browser game, but if you think of all the little sites around the web that require sign up just to read an article or view a deal then eventually someone will be a problem. So let dailygarbage.net have the same password you use for dealspam.com and they can impersonate you on each other but stay locked out of the big stuff.

(Then Yahoo will give away your email info for the 3rd time because they're idiots. But that's another matter.)


Hah, yes, you can only do so much to protect yourself, then a Fortune 500 company gets hacked (or just sells your info) and you're wondering why you made the effort in the first place! :lol: Also a good argument for having a password manager/generator.


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Sun Jul 09, 2017 3:23 pm 

Joined: May 17, 2014
Posts: 34
Offline
User avatarGlobal Trade S.A.
 
And it can very well be that even the password manager is a spy, once i used it and i did not like it, uninstalled it and i had acces to nothing anymore.


Top
 Profile  
 
 Post subject: Re: TLS/https
PostPosted: Sun Jul 09, 2017 7:17 pm 

Joined: Apr 9, 2017
Posts: 3
Offline
User avatarThe Best Things, Inc.
Do you remember what the name of it was? I've been using KeePass 2 for a long time now and wouldn't think of using anything else. :smile:


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

It is currently Sun Feb 16, 2020 7:24 pm (All times are UTC [ DST ])


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group