Conquer Club

[Login] Automatically use HTTPS on Login

Suggestions that have been archived.

Moderator: Community Team

[Login] Automatically use HTTPS on Login

Postby bedub1 on Fri Jan 28, 2011 10:36 pm

Concise description:
  • Change the login page from using the insecure/unencrypted HTTP to using the secure/encrypted HTTPS

Specifics/Details:
  • HTTPS is already setup, so it should be very easy.
  • Create a redirect so if a user tries to visit http://www.conquerclub.com they are redirected to https://www.conquerclub.com
  • After logging in the user using https, redirect the user back to http for playing games, forum, chat etc

How this will benefit the site and/or other comments:
  • Users at a public insecure hotspot will have their password encrypted
  • Users at work won't have their passwords sniffed by their system administrators
  • Users without encryption on their home wifi won't have their passwords sniffed by their neighbors
  • CC won't be liable for users passwords being hacked
  • CC will be recognized as a forward thinking and user friendly website, working hard to protect it's users. Instead of a website that just really doesn't give a shit.
  • SirSebstar won't have to manually change from HTTP to HTTPS to play games while at work
  • sam-c812 wouldn't be reported for cheating
  • You don't have to worry about your ISP stealing your password
  • You don't have to worry about your government stealing your password
  • You don't have to worry about the Tunisian government stealing your password
  • I'll stop bitching about it
  • I'll change my signature

Supporters:
  • bedub1
  • Mr_Adams
  • rdsrds2120
  • SirSebstar
  • stahrgazer
  • InsomniaRed
  • Woodruff "Encryption is pointless?" <- I take this to mean he supports it.
  • Metsfanmax
  • basic_man2010_20<- doesn't specify this is a good idea...but keeps trying to get CC to be more secure
  • chipv
  • jakewilliams
  • Darwins_Bane23:03:23 ā€¹Darwins_Baneā€ŗ i really would like to see just the login screen run the extra ssl socket

People that seem to thing encryption/security is silly:

  • blakebowling

If I have you on the wrong list please let me know.
Last edited by bedub1 on Fri Mar 11, 2011 2:05 am, edited 9 times in total.
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby Mr_Adams on Wed Feb 02, 2011 11:37 pm

Good point. And if we are going for security, shouldn't the whole website be in HTTPS, since you can buy premium membership and other such internet transactions?
Image
User avatar
Captain Mr_Adams
 
Posts: 1987
Joined: Fri Jul 13, 2007 8:33 pm

Re: Turn HTTP into HTTPS on login

Postby Darwins_Bane on Thu Feb 03, 2011 1:06 am

Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it. There just really isn't any point. On the point of transactions on the website, you will notice that when you try and pay, it redirects to https for security reasons during the transaction.
high score : 2294
02:59:29 ā€¹Khan22ā€ŗ wouldn't you love to have like 5 or 6 girls all giving you attention?
10/11/2010 02:59:39 ā€¹TheForgivenOneā€ŗ No.
Corporal Darwins_Bane
 
Posts: 989
Joined: Tue Mar 04, 2008 7:09 pm
Location: Ottawa, Ontario

Re: Turn HTTP into HTTPS on login

Postby tkr4lf on Thu Feb 03, 2011 1:14 am

I highly doubt this is related to this suggestion, but the other day I was playing and all of a sudden it switched to HTTPS for some odd reason in the middle of doing something. Then, for some reason, every time I refreshed the page/went to a new page, a pop up occured that asked me if I wanted to view all information on page or just the information that was secure, and it was very annoying having to click "yes" or "no" everytime. Again, doubt this is related, and it went away when I exited the site and came back, but still something to consider.
User avatar
Major tkr4lf
 
Posts: 1976
Joined: Thu Nov 06, 2008 11:35 am
Location: St. Louis

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Fri Feb 04, 2011 1:27 am

You can lead a horse to water, but you can't make it drink
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby SirSebstar on Fri Feb 04, 2011 6:49 am

Darwins_Bane wrote:Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it. There just really isn't any point. On the point of transactions on the website, you will notice that when you try and pay, it redirects to
https for security reasons during the transaction.


Actually there is another issue involved. i am currently working in an environment that does not allow me to game on cc during my break. I can only acces the forums because i add the s to http manually. It does work, but i cannot play my games that way unless i can play them in https. it gets blocked by the firewall.

So please introduce this.
regards,
SirSebstar
Image
User avatar
Major SirSebstar
 
Posts: 6969
Joined: Fri Oct 27, 2006 7:51 am
Location: SirSebstar is BACK. Highscore: Colonel Score: 2919 21/03/2011

Re: Turn HTTP into HTTPS on login

Postby rdsrds2120 on Fri Feb 04, 2011 7:13 pm

I think this is one of those ideas that just seems undebatable. No matter which way you cut it, isn't https all around better than normal http for security?

-rd
User avatar
Corporal 1st Class rdsrds2120
 
Posts: 6274
Joined: Fri Jul 03, 2009 3:42 am

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Sat Feb 05, 2011 1:43 pm

rdsrds2120 wrote:I think this is one of those ideas that just seems undebatable. No matter which way you cut it, isn't https all around better than normal http for security?

-rd

=D> =D> =D> =D> =D> =D> =D> =D> =D> =D>

I wasn't sure how to respond to somebody who said "egh...we don't' need that" without it turning into a flame....
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Sun Feb 06, 2011 12:27 pm

The reason secure isn't used on all pages. Its slower than regular http. If you would like to use it. Simply go to https://conquerclub.com/ and browse around. Also, as someone said before, some elements, such as the static images, xml files, style sheets and such; would make no sense as they never change.

Regardless of my rant.
Login on https = not a horrible idea.
Whole site on https = redundant.
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Sun Feb 06, 2011 2:31 pm

blakebowling wrote:The reason secure isn't used on all pages. Its slower than regular http. If you would like to use it. Simply go to https://conquerclub.com/ and browse around. Also, as someone said before, some elements, such as the static images, xml files, style sheets and such; would make no sense as they never change.

Regardless of my rant.
Login on https = not a horrible idea.
Whole site on https = redundant.

Can we change it to:

Login on https = fantastic idea
Whole site on https = waste of bandwidth
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby basic_man2010_20 on Sun Feb 06, 2011 4:04 pm

well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack
Cook basic_man2010_20
 
Posts: 464
Joined: Sun Sep 05, 2010 11:26 am

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Mon Feb 07, 2011 4:12 pm

basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Tue Feb 08, 2011 12:23 pm

blakebowling wrote:
basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Tue Mar 01, 2011 10:52 pm

Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login (poll created)

Postby InsomniaRed on Tue Mar 01, 2011 11:00 pm

YES! Aladdin! And yes to the login being changed to HTTPS, but not the whole site.
      I will always love you Nick, Forever.
Image
      I will always love you Nick, Forever.
User avatar
Major InsomniaRed
 
Posts: 2246
Joined: Sun Dec 30, 2007 2:58 am
Location: In Nick's heart

Re: Turn HTTP into HTTPS on login (poll created)

Postby bedub1 on Tue Mar 01, 2011 11:17 pm

InsomniaRed wrote:And yes to the login being changed to HTTPS, but not the whole site.

I agree...there is no reason to encrypt the entire site. But you know..it does work just fine. :) I've been using HTTPS ever since I posted this...and since it doesn't redirect me back to HTTP...I browse the entire site in HTTPS...take my turns in HTTPS....post to the forum in HTTPS. I'm posting this via HTTPS. Go encryption!
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Wed Mar 02, 2011 12:17 am

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Wed Mar 02, 2011 12:45 am

blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Wed Mar 02, 2011 4:27 pm

bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Re: Turn HTTP into HTTPS on login

Postby bedub1 on Wed Mar 02, 2011 8:37 pm

blakebowling wrote:
bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

Did you just say encryption is completely pointless?

You know what...I don't give a shit anymore. You don't like my good idea...I no longer care. I use HTTPS for all my CC interaction. I use it to login, play my games...I use it to browse the forum, I use it to chat. I'm secure. I haven't noticed any difference in speed. I no longer care if the rest of you are or not. If somebody figures out how to steal lacks insecure password and thrash the server...I'll just laugh and point to this thread and say "I told you so".
Colonel bedub1
 
Posts: 1005
Joined: Sun Dec 31, 2006 4:41 am

Re: Turn HTTP into HTTPS on login

Postby Woodruff on Wed Mar 02, 2011 9:57 pm

blakebowling wrote:
bedub1 wrote:
blakebowling wrote:
bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.


Encryption is pointless?
...I prefer a man who will burn the flag and then wrap himself in the Constitution to a man who will burn the Constitution and then wrap himself in the flag.
User avatar
Corporal 1st Class Woodruff
 
Posts: 5093
Joined: Sat Jan 05, 2008 9:15 am

Re: Turn HTTP into HTTPS on login

Postby stahrgazer on Wed Mar 02, 2011 10:05 pm

Darwins_Bane wrote:Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it.



*cough* right, that's why there have been so many issues with hackers and imposters, like the one that resulted in respectable folks like sam-c812 being reported for cheating... a hacker had taken over another player's logon, set up some speed games to lose them deliberately... anyone remember that from a month or so ago?

There have been other incidents where someone hacked an id. https would help prevent those situations.
Image
User avatar
Sergeant stahrgazer
 
Posts: 1411
Joined: Thu May 22, 2008 11:59 am
Location: Figment of the Imagination...

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Wed Mar 02, 2011 10:16 pm

you're misunderstanding the difference between the two, or how the security works.

HTTP, and HTTPS are essentially the same protocol, with the exception of the SSL key in HTTPS. However, the only way for someone to get the information, is for them to take over a router in the path of where you are going. The easiest of those routers to take over would be (in 99% of cases) the one located at your OWN house. If someone were to re-route the flow of packets through another computer, which they proceeded to analyze and determine the value of the field "password" sent to the conquerclub.com login script, then they would have your password. However this is not the way most "hackings" take place.

The majority of the time, the password is obtained from another website which you use the same password for. Essentially, your password is associated with your username, or your email address in their database. Or, even easier than that; the person got the password from you.
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Re: Turn HTTP into HTTPS on login

Postby basic_man2010_20 on Wed Mar 02, 2011 10:35 pm

bedub1 wrote:
blakebowling wrote:
basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."




well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.
Cook basic_man2010_20
 
Posts: 464
Joined: Sun Sep 05, 2010 11:26 am

Re: Turn HTTP into HTTPS on login

Postby blakebowling on Wed Mar 02, 2011 10:52 pm

basic_man2010_20 wrote:
bedub1 wrote:
blakebowling wrote:
basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."




well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.

Most web developers know of the SWF vulnerabilities. And No, SWF can't be used on the site (at least by regular users, Admins and the entertainment team MAY have access to it).
Private blakebowling
 
Posts: 5096
Joined: Wed Jan 23, 2008 12:09 pm
Location: 127.0.0.1

Next

Return to Archived Suggestions

Who is online

Users browsing this forum: No registered users