RAGNARÖK ONLINE Site officiel : www.ragnarokeurope.com

Jump to content


Unencrytped HTTP Login

http login security https

13 replies to this topic

#1 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 21 August 2017 - 07:03 PM

Dear Ro-Admins,

may I ask you why the login with an account is unencrypted, which is real securtity problem? Even here in the forum no https is active. In here it isn't that a big problem, because this account stands for it alone and no money is attached to it. But on the main webside some accounts have already paid money / carats which could stolen because of simple connection sniffing, because the communication is not encrypted. How can this be? How is really possible to have such a big security issue, because to encrytping the connection shouldn't be a big thing?

Please give us a statement, thanks.

sincerely yours
DoMiNaToR_xD

#2 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 756 posts
  • LocationProntera

Posted 22 August 2017 - 11:54 PM

It's sometimes hard to convince the higher-ups in a company that certain security aspects are worth the costs.. even if it's only about 200 USD a year. Sad, but true.
Posted Image<- thank you, Nevina <3

#3 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 23 August 2017 - 01:35 AM

In case of a account steal (through that issue) it would be a possibility for a damage suit because the carelessness of the operators.
This is really irresponsibility ...
Admin please ACT!!!

#4 Puldorf

    Poporing

  • Members
  • PipPipPip
  • 251 posts

Posted 23 August 2017 - 08:47 AM

Go paypal :)
Posted Image

#5 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 30 August 2017 - 01:58 AM

View PostPuldorf, on 23 August 2017 - 08:47 AM, said:

Go paypal :)

Best thing when people without any knowledge think that they are smart. Little hint, your bought karats for example won't last long if the account is secretly stolen, means when someone know your password and waits for a good chance to get much stuff ...
Before you write anything you should first try to understand how https works and what the consequences could be instead ...
Not even the pay process itself have to be protected, but the things you farmed, bought and so on have to be secured, too!
But now someone could do a simple Man-in-the-Middle attack and he / she would know your Accountname with password and any other Information you have putted into your account. He / She is even then be able to log into your account and steal all your items and then delete your characters. This would be the bad scenario, but not even the worst. This is why a encrytion on a connection with accounts like that is a total must have and there are even nearly costfree methods to implement this function. Even if they create and use a self signed certificate with a CA it would be MUCH better. But buying a certificate of a ca wouldn't cost that much ...
This is just irresponsible.
Doesn't a admin want to act or start a process to solve this security issue?

#6 Cookieraider

    Poporing

  • Members
  • PipPipPip
  • 254 posts

Posted 15 September 2017 - 10:05 AM

Well basically the Gravity Gateway has encripted connection. Maybe it would be possible to do some redirects from the site there, and that would cost very little. Or actually not, I don't think they haven't thought of that. But what our greatest luck is, that online games are not that often hacked for valuable personal private data, but to gain ingame advantages.

#7 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 756 posts
  • LocationProntera

Posted 15 September 2017 - 01:56 PM

View PostCookieraider, on 15 September 2017 - 10:05 AM, said:

Well basically the Gravity Gateway has encripted connection. Maybe it would be possible to do some redirects from the site there, and that would cost very little. Or actually not, I don't think they haven't thought of that. But what our greatest luck is, that online games are not that often hacked for valuable personal private data, but to gain ingame advantages.

Well, that would cost the time to extend gravity-gateway.com to act as an authentication server for SSO and ragnarokeurope.com to use that instead of the current login- and change password forms. I think an additional SSL certificate would be the more economical solution.

Anyway, regarding security - even if we had proper HTTPS encryption on the website... logging in via the client on an open WLAN would still be a huge risk. Obtaining the raw password from that is a bit tougher, but for spending Karats and stealing zeny/equipment a replay of the login containing the hashed/salted password would be enough.
Posted Image<- thank you, Nevina <3

#8 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 17 October 2017 - 11:18 PM

View PostCookieraider, on 15 September 2017 - 10:05 AM, said:

Well basically the Gravity Gateway has encripted connection. Maybe it would be possible to do some redirects from the site there, and that would cost very little. Or actually not, I don't think they haven't thought of that. But what our greatest luck is, that online games are not that often hacked for valuable personal private data, but to gain ingame advantages.
A login via unencrypted communication should not be possible. And who tells me how that gateway is processing that requests? If that requests are tranlated into plain http and then redirected to the website, then we wouldn't win anything, so how does this gateway work? And it is no argument, that the main focus of the hackers are on this game ... in that game is somehow money, so it should be protected, this is just irresponsible.

View PostShoushiken, on 15 September 2017 - 01:56 PM, said:

Well, that would cost the time to extend gravity-gateway.com to act as an authentication server for SSO and ragnarokeurope.com to use that instead of the current login- and change password forms. I think an additional SSL certificate would be the more economical solution.

Anyway, regarding security - even if we had proper HTTPS encryption on the website... logging in via the client on an open WLAN would still be a huge risk. Obtaining the raw password from that is a bit tougher, but for spending Karats and stealing zeny/equipment a replay of the login containing the hashed/salted password would be enough.

Yeah the SSL variant would be short effient way to secure this shit and it wouldn't cost that much, it is not even worth to meantion it. Of course the login in the client have to protected by TCP encryption as well, but it should be already build in, in the used libraries.
On the secound point your agrument is total invalid. A usage of a WLAN itself have first nothing to do with the HTTP encryption (HTTPS). You get that risk everytime when you use a public WLAN, therefor you should always install a firewall. To obtain a password from HTTPS itself is everywhere the same difficulty. In a WLAN it is just easier to get in the same net as your victim, because "hacking" into a wired LAN is physical problematic, because you have to get your hand onto that wire. And that hash would only work if you use plain HTTP, with an encryption you wouldn't read the hash of the password ...

#9 Cookieraider

    Poporing

  • Members
  • PipPipPip
  • 254 posts

Posted 18 October 2017 - 05:42 AM

View PostDoMiNaToR_xD, on 17 October 2017 - 11:18 PM, said:

A login via unencrypted communication should not be possible. And who tells me how that gateway is processing that requests? If that requests are tranlated into plain http and then redirected to the website, then we wouldn't win anything, so how does this gateway work? And it is no argument, that the main focus of the hackers are on this game ... in that game is somehow money, so it should be protected, this is just irresponsible.
I know and you are totally right. When something does not often occur no matter if its only a tiny bit or extremely malicious, it doesn't mean there should be no protection against it. I was just going at this from the "luckily this really does not occur that often" point of view.

#10 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 756 posts
  • LocationProntera

Posted 18 October 2017 - 01:49 PM

View PostDoMiNaToR_xD, on 17 October 2017 - 11:18 PM, said:

On the secound point your agrument is total invalid. A usage of a WLAN itself have first nothing to do with the HTTP encryption (HTTPS). You get that risk everytime when you use a public WLAN, therefor you should always install a firewall. To obtain a password from HTTPS itself is everywhere the same difficulty. In a WLAN it is just easier to get in the same net as your victim, because "hacking" into a wired LAN is physical problematic, because you have to get your hand onto that wire. And that hash would only work if you use plain HTTP, with an encryption you wouldn't read the hash of the password ...

You didn't understand what I wrote. I said "logging in via the client on an open WLAN" - meaning the game. I was talking about the game itself not using any kind of encryption. So, if anyone who knows what RO is ever wiresharked around on a monitor interface in your vicinity on a non-encrypted WLAN that person would be able to log into the game without even knowing your plain-text password. Thus, having HTTPS on the website wouldn't make your account totally safe.
Also, firewalls have nothing to with encryption. I was talking about the possibility to capture traffic. Using a VPN on an open WLAN would help here, though.
Posted Image<- thank you, Nevina <3

#11 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 19 October 2017 - 09:00 PM

View PostShoushiken, on 18 October 2017 - 01:49 PM, said:

You didn't understand what I wrote. I said "logging in via the client on an open WLAN" - meaning the game. I was talking about the game itself not using any kind of encryption. So, if anyone who knows what RO is ever wiresharked around on a monitor interface in your vicinity on a non-encrypted WLAN that person would be able to log into the game without even knowing your plain-text password. Thus, having HTTPS on the website wouldn't make your account totally safe.
Also, firewalls have nothing to with encryption. I was talking about the possibility to capture traffic. Using a VPN on an open WLAN would help here, though.

If there is a certificate integrated it would be the same as HTTPS, but we don't know exactly if it is implemented, because I didn't check it (with wireshark for example), but there would be no real difference ... So it is the same discussion like HTTP / HTTPS, but i complained now for this problem, because I know it.
And on the secound point VPN doesn't slove this, because the VPN Network have access to your pc without a firewall on the pc (network access) and can read the plain traffic. Because the Network is in the encryption (at least the VPN server, mostly each client have a own encryption withthe server, so jsut the server reads all data) ...

#12 Shoushiken

    Marin

  • Members
  • PipPipPipPip
  • 756 posts
  • LocationProntera

Posted 20 October 2017 - 12:39 AM

View PostDoMiNaToR_xD, on 19 October 2017 - 09:00 PM, said:

If there is a certificate integrated it would be the same as HTTPS, but we don't know exactly if it is implemented, because I didn't check it (with wireshark for example), but there would be no real difference ... So it is the same discussion like HTTP / HTTPS, but i complained now for this problem, because I know it..

I was talking about the communication between the game client (Ragexe) and the server and there certainly is no encryption used - trust me on that. I have no idea why you're even bothering talking about certificates.
Therefore, a potential attacker could capture a password hash that he could simply replay along with the rest of the login packet from anywhere and he'd be online with that particular account. Period. Meaning, the weakest part in the communication with the servers - if there was HTTPS used for the website's login - would be the game's own login.

I'm not saying using HTTPS would be a bad idea but you cannot say: everything would be perfectly secure using HTTPS for the website. It wouldn't be.

View PostDoMiNaToR_xD, on 19 October 2017 - 09:00 PM, said:

And on the secound point VPN doesn't slove this, because the VPN Network have access to your pc without a firewall on the pc (network access) and can read the plain traffic. Because the Network is in the encryption (at least the VPN server, mostly each client have a own encryption withthe server, so jsut the server reads all data) ..

Yeah, because you can totally not setup your own VPN gateway on your home network with a Raspberry Pi / Fritz Box / other system running linux, or on your root server. And even for people who aren't that tech-savvy.. there are enough guides for setting that up around.
Posted Image<- thank you, Nevina <3

#13 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 23 October 2017 - 05:36 PM

View PostShoushiken, on 20 October 2017 - 12:39 AM, said:

I was talking about the communication between the game client (Ragexe) and the server and there certainly is no encryption used - trust me on that. I have no idea why you're even bothering talking about certificates.
Therefore, a potential attacker could capture a password hash that he could simply replay along with the rest of the login packet from anywhere and he'd be online with that particular account. Period. Meaning, the weakest part in the communication with the servers - if there was HTTPS used for the website's login - would be the game's own login.

I'm not saying using HTTPS would be a bad idea but you cannot say: everything would be perfectly secure using HTTPS for the website. It wouldn't be.



Yeah, because you can totally not setup your own VPN gateway on your home network with a Raspberry Pi / Fritz Box / other system running linux, or on your root server. And even for people who aren't that tech-savvy.. there are enough guides for setting that up around.
In that thing you are right, if the client is unencrypted, too, then it is needed to implement a encryption as well. You can say, that is needed everywhere where you can login! I just didn't check the game client, but in the browser you still see this instant, so I made a complaint. But nothing happend until now, which tells me that it doesn't interest them. They do not really care for their users ... pathetic.
But in the seound point I must totally disagree, yes you can build your own VPN to avoid attack from the own network, but when the server (e.g. Fritz Box) is communicating with the RO server the communication will be decrypted again and then everything readable in plaintext again, because the RO server is not part of the VPN. Therefor the VPN variant doesn't help anything ...

#14 DoMiNaToR_xD

    Poring

  • Members
  • Pip
  • 15 posts

Posted 17 November 2017 - 02:32 PM

Still no reaction of an admin or some responsible?





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users