RAGNARÖK ONLINE Site officiel : www.ragnarokeurope.com

Jump to content


Unencrytped HTTP Login

http login security https

6 replies to this topic

#1 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 11 posts

Posted 21 August 2017 - 07:03 PM

Dear Ro-Admins,

may I ask you why the login with an account is unencrypted, which is real securtity problem? Even here in the forum no https is active. In here it isn't that a big problem, because this account stands for it alone and no money is attached to it. But on the main webside some accounts have already paid money / carats which could stolen because of simple connection sniffing, because the communication is not encrypted. How can this be? How is really possible to have such a big security issue, because to encrytping the connection shouldn't be a big thing?

Please give us a statement, thanks.

sincerely yours
DoMiNaToR_xD

#2 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 707 posts
  • LocationProntera

Posted 22 August 2017 - 11:54 PM

It's sometimes hard to convince the higher-ups in a company that certain security aspects are worth the costs.. even if it's only about 200 USD a year. Sad, but true.
Posted Image<- thank you, Nevina <3

#3 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 11 posts

Posted 23 August 2017 - 01:35 AM

In case of a account steal (through that issue) it would be a possibility for a damage suit because the carelessness of the operators.
This is really irresponsibility ...
Admin please ACT!!!

#4 Puldorf

    Poporing

  • Members
  • PipPipPip
  • 183 posts

Posted 23 August 2017 - 08:47 AM

Go paypal :)

#5 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 11 posts

Posted 30 August 2017 - 01:58 AM

View PostPuldorf, on 23 August 2017 - 08:47 AM, said:

Go paypal :)

Best thing when people without any knowledge think that they are smart. Little hint, your bought karats for example won't last long if the account is secretly stolen, means when someone know your password and waits for a good chance to get much stuff ...
Before you write anything you should first try to understand how https works and what the consequences could be instead ...
Not even the pay process itself have to be protected, but the things you farmed, bought and so on have to be secured, too!
But now someone could do a simple Man-in-the-Middle attack and he / she would know your Accountname with password and any other Information you have putted into your account. He / She is even then be able to log into your account and steal all your items and then delete your characters. This would be the bad scenario, but not even the worst. This is why a encrytion on a connection with accounts like that is a total must have and there are even nearly costfree methods to implement this function. Even if they create and use a self signed certificate with a CA it would be MUCH better. But buying a certificate of a ca wouldn't cost that much ...
This is just irresponsible.
Doesn't a admin want to act or start a process to solve this security issue?

#6 Cookieraider

    Poporing

  • Members
  • PipPipPip
  • 135 posts

Posted 15 September 2017 - 10:05 AM

Well basically the Gravity Gateway has encripted connection. Maybe it would be possible to do some redirects from the site there, and that would cost very little. Or actually not, I don't think they haven't thought of that. But what our greatest luck is, that online games are not that often hacked for valuable personal private data, but to gain ingame advantages.

#7 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 707 posts
  • LocationProntera

Posted 15 September 2017 - 01:56 PM

View PostCookieraider, on 15 September 2017 - 10:05 AM, said:

Well basically the Gravity Gateway has encripted connection. Maybe it would be possible to do some redirects from the site there, and that would cost very little. Or actually not, I don't think they haven't thought of that. But what our greatest luck is, that online games are not that often hacked for valuable personal private data, but to gain ingame advantages.

Well, that would cost the time to extend gravity-gateway.com to act as an authentication server for SSO and ragnarokeurope.com to use that instead of the current login- and change password forms. I think an additional SSL certificate would be the more economical solution.

Anyway, regarding security - even if we had proper HTTPS encryption on the website... logging in via the client on an open WLAN would still be a huge risk. Obtaining the raw password from that is a bit tougher, but for spending Karats and stealing zeny/equipment a replay of the login containing the hashed/salted password would be enough.
Posted Image<- thank you, Nevina <3





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users