English French German Spanish Russian
Log-in site security - Web Apps - Ryzom Community ForumHomeGuest

Web Apps


uiWebPrevious1uiWebNext

#1

Any chance you guys can make the Log-In page a https:// site?


(http://atys.ryzom.com/start/index.php)


Certainly don't need anyone fishin' up passwords illicitly. :/

•••Winter•••

---



Always argue with an idiot... it's the only way they can get Experience! :)

#2

I'd recommend getting a certificate at CACert.org instead a paid one from the certificate mafia.
So a +1 here for the original suggestion. This should have done years ago ..
The use of HTTPS / TLS should be a worldwide standard for any sites, games and apps sending login credentials to a server.

Additionally I'd recommend getting back to using separate master and login passwords.

Last edited by Talya (6 years ago)

---

[ˈtʌʎˌjaː ˈʃʌtˑənˌtans] - The wog with the whip! Always takin' care for purposive Ryzom development and conductive community behavior via appropriate amounts of well-placed criticism.
Botherin' homins since Aug '06 - Nuttin' ta lose, but a bad rep.
DE, EN, C++, ASM, MHD, ahd, nl (Ik werk eraan als een ploegpaard), it, lat

#3

https only if the cert is done right (I hate all those sites with defunct certs where the browser wants a confirmation every other day)

I second that with the master/login separation should be the case (again)
AND please allow special chars like .-/&%!.... in the password!

---

#4

As an addendum to the previous post:

There have been several discussions on the web about certificates and CAs (certificate authorities). In my honest opinion they all melt down to these facts:
* Paid CAs ask much more bucks than the service is worth it. But everyone wants "security", so most people pay 'em.
* Paid CAs pay browser developers to include their root certificates. That's why their signed certs don't show up as "defunct", "insecure", "unknown" or whatever.
* Paid CAs appeared to be insecure several times, be it with leaked or sold and misused root certs, wildcards, cretinism or hacked servers. There is no real reason to trust a paid one more than an established free and open one.
* Paid CAs are okay for webshops, since they often include an insurance. But their conditions vary.

CACert seems to be the only free CA basing upon an open community. And that looks much more confidential to me than paid ones which earnestly offer their customers to also generate their *private* key pairs O.o .. every admin solely taking such offers into account should be doomed. Security is a serious concern.

I'd suggest everyone who visits an encrypted website to never blindly trust that page just because the address bar is tinted green, but to always check who signed that certificate, to learn about the different CAs and their "business practices" .. and to finally decide for oneself -upon the mentioned facts- whether to really trust that one or not.

Also I agree with Jarnys' suggestion to allow special chars. ;)

Edited 2 times | Last edited by Talya (6 years ago)

---

[ˈtʌʎˌjaː ˈʃʌtˑənˌtans] - The wog with the whip! Always takin' care for purposive Ryzom development and conductive community behavior via appropriate amounts of well-placed criticism.
Botherin' homins since Aug '06 - Nuttin' ta lose, but a bad rep.
DE, EN, C++, ASM, MHD, ahd, nl (Ik werk eraan als een ploegpaard), it, lat

#5

Hi!

4 posts and i agree with all. That's so odd i'm going to reply :-)

Anyway:
+1 to https
+1 to cacert cert, or self signed cert with a link in the front page to download the .cer

Have fun,
Nuno

#6

Nuno (Arispotle)
Hi!
+1 [...] or self signed cert with a link in the front page to download the .cer

That won't help much if there's already an attack ongoing. I could control what certificate you download.

#7

Dominikus (Arispotle)
That won't help much if there's already an attack ongoing. I could control what certificate you download.
+1

#8

+1 for https - such a simple change. Travelling a lot, I'd appreciate that very much, thank you!

#9

+1 And separate master/login

---

~~Merchant, Wayfinder, Tracker~~

.:WorldofRyzom.com:. | G'Morning Atys Music Mix | -

#10

agree

#11

+1

Any website that handles money should be https

Its not hard to change and not expensive either.

---

It's bad luck to be superstitious . . .



Palta e decata, nan nec ilne matala.

When one goes on a journey it is not the scenery that changes, but the traveller

#12

+1 for https

---

#13

Actually i think about this a bit differently.

Ryzom is a niche game that cannot be exploited well to make money because there is no open item or toon market. -> No professional attacks on the game itself.

Professional attackers could also be someone looking for an anonymous internet server, but game servers in general are monitored far to closely to remain undetected for a profitable amount of time. They are also high load servers which makes them even worse if the attacker wants to host illegal content or carry out attacks or scams.

The only real threats are people from the inside. When huge love turns into worst hate. And people who want to 'show weaknesses' to developers interpreting 'hacker ethics' the worst way possible. Those haters or hackers do not have the means to monitor communication unless they are sitting right next to you. And if they do it's easy for them to circumvent encryption anyways.

I do have some security concerns too but those are about a totally different attack vector that cannot be fixed using encryption.

#14

the player account login page is https i just visited it. not sure why they can't just use same for forum etc... what i find uncomfortable is forum / login = same.

Last edited by Seawe (6 years ago)

---

~~Merchant, Wayfinder, Tracker~~

.:WorldofRyzom.com:. | G'Morning Atys Music Mix | -
uiWebPrevious1uiWebNext
 
Last visit Mon Apr 23 19:16:25 2018 UTC
P_:

powered by ryzom-api