Conquer Club

Concise description:

• Change the login page from using the insecure/unencrypted HTTP to using the secure/encrypted HTTPS

Specifics/Details:

• HTTPS is already setup, so it should be very easy.
• Create a redirect so if a user tries to visit http://www.conquerclub.com they are redirected to https://www.conquerclub.com
• After logging in the user using https, redirect the user back to http for playing games, forum, chat etc

How this will benefit the site and/or other comments:

• Users at a public insecure hotspot will have their password encrypted
• Users at work won't have their passwords sniffed by their system administrators
• Users without encryption on their home wifi won't have their passwords sniffed by their neighbors
• CC won't be liable for users passwords being hacked
• CC will be recognized as a forward thinking and user friendly website, working hard to protect it's users. Instead of a website that just really doesn't give a shit.
• SirSebstar won't have to manually change from HTTP to HTTPS to play games while at work
• sam-c812 wouldn't be reported for cheating
• You don't have to worry about your ISP stealing your password
• You don't have to worry about your government stealing your password
• You don't have to worry about the Tunisian government stealing your password
• I'll stop bitching about it
• I'll change my signature

Supporters:

• bedub1
• Mr_Adams
• rdsrds2120
• SirSebstar
• stahrgazer
• InsomniaRed
• Woodruff "Encryption is pointless?" <- I take this to mean he supports it.
• Metsfanmax
• basic_man2010_20<- doesn't specify this is a good idea...but keeps trying to get CC to be more secure
• chipv
• jakewilliams
• Darwins_Bane23:03:23 ‹Darwins_Bane› i really would like to see just the login screen run the extra ssl socket

People that seem to thing encryption/security is silly:

• blakebowling

If I have you on the wrong list please let me know.

Good point. And if we are going for security, shouldn't the whole website be in HTTPS, since you can buy premium membership and other such internet transactions?

Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it. There just really isn't any point. On the point of transactions on the website, you will notice that when you try and pay, it redirects to https for security reasons during the transaction.

I highly doubt this is related to this suggestion, but the other day I was playing and all of a sudden it switched to HTTPS for some odd reason in the middle of doing something. Then, for some reason, every time I refreshed the page/went to a new page, a pop up occured that asked me if I wanted to view all information on page or just the information that was secure, and it was very annoying having to click "yes" or "no" everytime. Again, doubt this is related, and it went away when I exited the site and came back, but still something to consider.

You can lead a horse to water, but you can't make it drink

Darwins_Bane wrote:Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it. There just really isn't any point. On the point of transactions on the website, you will notice that when you try and pay, it redirects to
https for security reasons during the transaction.

Actually there is another issue involved. i am currently working in an environment that does not allow me to game on cc during my break. I can only acces the forums because i add the s to http manually. It does work, but i cannot play my games that way unless i can play them in https. it gets blocked by the firewall.

So please introduce this.
regards,
SirSebstar

I think this is one of those ideas that just seems undebatable. No matter which way you cut it, isn't https all around better than normal http for security?

-rd

rdsrds2120 wrote:I think this is one of those ideas that just seems undebatable. No matter which way you cut it, isn't https all around better than normal http for security?

-rd

I wasn't sure how to respond to somebody who said "egh...we don't' need that" without it turning into a flame....

The reason secure isn't used on all pages. Its slower than regular http. If you would like to use it. Simply go to https://conquerclub.com/ and browse around. Also, as someone said before, some elements, such as the static images, xml files, style sheets and such; would make no sense as they never change.

Regardless of my rant.
Login on https = not a horrible idea.
Whole site on https = redundant.

blakebowling wrote:The reason secure isn't used on all pages. Its slower than regular http. If you would like to use it. Simply go to https://conquerclub.com/ and browse around. Also, as someone said before, some elements, such as the static images, xml files, style sheets and such; would make no sense as they never change.

Regardless of my rant.
Login on https = not a horrible idea.
Whole site on https = redundant.

Can we change it to:

Login on https = fantastic idea
Whole site on https = waste of bandwidth

well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

blakebowling wrote:

basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."

Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

YES! Aladdin! And yes to the login being changed to HTTPS, but not the whole site.

InsomniaRed wrote:And yes to the login being changed to HTTPS, but not the whole site.

I agree...there is no reason to encrypt the entire site. But you know..it does work just fine. I've been using HTTPS ever since I posted this...and since it doesn't redirect me back to HTTP...I browse the entire site in HTTPS...take my turns in HTTPS....post to the forum in HTTPS. I'm posting this via HTTPS. Go encryption!

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

blakebowling wrote:

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

bedub1 wrote:

blakebowling wrote:

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

blakebowling wrote:

bedub1 wrote:

blakebowling wrote:

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

Did you just say encryption is completely pointless?

You know what...I don't give a shit anymore. You don't like my good idea...I no longer care. I use HTTPS for all my CC interaction. I use it to login, play my games...I use it to browse the forum, I use it to chat. I'm secure. I haven't noticed any difference in speed. I no longer care if the rest of you are or not. If somebody figures out how to steal lacks insecure password and thrash the server...I'll just laugh and point to this thread and say "I told you so".

blakebowling wrote:

bedub1 wrote:

blakebowling wrote:

bedub1 wrote:Bump.

Can we try and get this deployed? It's really easy and would be helpful, even if everybody doesn't understand why or agree. There really isn't a single downside to deploying this....only positives....

Lies.

HTTPS is SLOWER than HTTP

True. It has a little bit of extra information to include the security portion. How long does login take? a second? So if it takes 1.1 seconds with encryption?

It is also completely pointless. Every good web developer should know that forcing protocols is never good.

Encryption is pointless?

Darwins_Bane wrote:Although I understand where you're coming from, this is a gaming website, there is little to no likelyhood that someone is going to try to steal your password to it.

*cough* right, that's why there have been so many issues with hackers and imposters, like the one that resulted in respectable folks like sam-c812 being reported for cheating... a hacker had taken over another player's logon, set up some speed games to lose them deliberately... anyone remember that from a month or so ago?

There have been other incidents where someone hacked an id. https would help prevent those situations.

you're misunderstanding the difference between the two, or how the security works.

HTTP, and HTTPS are essentially the same protocol, with the exception of the SSL key in HTTPS. However, the only way for someone to get the information, is for them to take over a router in the path of where you are going. The easiest of those routers to take over would be (in 99% of cases) the one located at your OWN house. If someone were to re-route the flow of packets through another computer, which they proceeded to analyze and determine the value of the field "password" sent to the conquerclub.com login script, then they would have your password. However this is not the way most "hackings" take place.

The majority of the time, the password is obtained from another website which you use the same password for. Essentially, your password is associated with your username, or your email address in their database. Or, even easier than that; the person got the password from you.

bedub1 wrote:

blakebowling wrote:

basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."

well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.

basic_man2010_20 wrote:

bedub1 wrote:

blakebowling wrote:

basic_man2010_20 wrote:well actually you say that its a gamine website noone will do it.... ummm yah how bout this there arte hackers that hackj games just to f*ck around with people..... mafia (mmropg) games get hacked all the time, I am preaty sure that this site is probley realy extreamlyeasy to hack

If I could read this, I might just have something to say about it.

hey now...that's not very polite. Did you consider english might not be his primary language?

"Well actually you saying that this is a gaming website thus nobody will attack it...umm..yeah...how about there are hackers that attack games just to f*ck with people...mafia (mmporg) gaming websites get hacked all the time. I am pretty sure that this site is easy to hack."

well English is my primary language but i suck at typing as i don't pay much attention to the online grammar and crap like that. so tell me dose the site allow for .swf ANYWHERE on the site? if so it can eaisley be hacked. All you have to do is put a shell into the .swf file upload it to the site and you have access to the cpanel (if the site runs on a cpanel) or even the database. they get access to the database they have access to our e-mail password and all that they can easily then go and pretend to be us or even worse pull a herk and hack a persons account of witch they don't like and make a bunch of games and point dump and get the person banned.

Most web developers know of the SWF vulnerabilities. And No, SWF can't be used on the site (at least by regular users, Admins and the entertainment team MAY have access to it).