Gamependium Warning
XandorXerxes
Posts: 340 Mover and Shaker
So I was poking around Gamependium and noticed that all traffic is sent via HTTP, not HTTPS. I took a look at the source code of the login page just to be sure, and there is no encryption specified anywhere. That means what then you log in, your password is sent in clear text to the web server (anyone who can see your traffic can read it and know it immediately). It's also possible that the web server isn't hashing passwords on their end either, but it's being hosted by a cloud solution so that's unlikely.
If you reuse your password anywhere else, you may want to change your password on that other site. Not using HTTPS is a fatal flaw in terms of security, so assume that password is already compromised. That's not to say don't use the site - just use the site knowing that any information you send it can be and is likely being read by many other people, so make the information you send it disposable.
If you reuse your password anywhere else, you may want to change your password on that other site. Not using HTTPS is a fatal flaw in terms of security, so assume that password is already compromised. That's not to say don't use the site - just use the site knowing that any information you send it can be and is likely being read by many other people, so make the information you send it disposable.
0
Comments
-
While not directly tied to MPQ, I know quite a few of our forum members use that site for various purposes including registering their rosters. I am going to sticky this for 10 days to help get the word out and then moving this to Off-Topic. I am also considering adding a notice in the FAQ. However, in the future if you see anyone mentioning Gamependium please be kind and pass the word on.
Thanks XandorXerxes for looking out!
Your friendly neighborhood fight4thedream0 -
I don't want anyone to think I'm ignoring the problem, I've actually commented on this issue already. I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time. However, Let's Encrypt, which offers free certificates, has announced that they are going to start their public beta on December 5th (just over a week from now). Once they do, it shouldn't take more than a few days to get it setup (I hope).
BTW, passwords and the "remember me" auto login tokens are hashed using the Blowfish encryption algorithm, not stored as plain text.0 -
Cymmina wrote:I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.
BTW, can't you guys update all outdated covers used in roster composition (i.e. Star Lord, IW, Dakens, Ares and so on)? Don't get me wrong, your site is brilliant as it is, but it can be even better
0 -
ragnarady wrote:Cymmina wrote:I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.
BTW, can't you guys update all outdated covers used in roster composition (i.e. Star Lord, IW, Dakens, Ares and so on)? Don't get me wrong, your site is brilliant as it is, but it can be even better
For anything not related to the OP, please use the official gamependium thread here: viewtopic.php?f=6&t=31051
Thanks.0 -
Cymmina wrote:I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.
Ok, well then it's time to have another talk with your partner/server admin (and maybe consider a new server admin).
You can acquire a free cert here: https://ssl.comodo.com/free-ssl-certificate.php that will do everything you need.
Regards,
Cypr3ss.0 -
I noticed you use nginx for your server proxy. Here are the instructions on how to install a Comodo SSL certificate on Nginx. I've done this before with the free certificate so I'd be happy to help out if you want.
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/789/37/certificate-installation-nginx0 -
Now this is what I am talking about! Members helping out other members! Makes ya feel all warm and fuzzy inside doesn't it?
Hey don't forget you're moving this off topic thread to off topic in the next few days.
Way to spoil the moment, mod me.
Just doing my job dude.
Anywhoo, if you have any other useful advice or wish to be of help, please feel free.
Your friendly neighborhood fight4thedream0 -
Cymmina wrote:I don't want anyone to think I'm ignoring the problem, I've actually commented on this issue already. I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time. However, Let's Encrypt, which offers free certificates, has announced that they are going to start their public beta on December 5th (just over a week from now). Once they do, it shouldn't take more than a few days to get it setup (I hope).
BTW, passwords and the "remember me" auto login tokens are hashed using the Blowfish encryption algorithm, not stored as plain text.
Let's Encrypt is now in public beta.0
Categories
- All Categories
- 44.8K Marvel Puzzle Quest
- 1.5K MPQ News and Announcements
- 20.3K MPQ General Discussion
- 3K MPQ Tips and Guides
- 2K MPQ Character Discussion
- 171 MPQ Supports Discussion
- 2.5K MPQ Events, Tournaments, and Missions
- 2.8K MPQ Alliances
- 6.3K MPQ Suggestions and Feedback
- 6.2K MPQ Bugs and Technical Issues
- 13.7K Magic: The Gathering - Puzzle Quest
- 508 MtGPQ News & Announcements
- 5.4K MtGPQ General Discussion
- 99 MtGPQ Tips & Guides
- 424 MtGPQ Deck Strategy & Planeswalker Discussion
- 299 MtGPQ Events
- 60 MtGPQ Coalitions
- 1.2K MtGPQ Suggestions & Feedback
- 5.7K MtGPQ Bugs & Technical Issues
- 548 Other 505 Go Inc. Games
- 21 Puzzle Quest: The Legend Returns
- 5 Adventure Gnome
- 6 Word Designer: Country Home
- 381 Other Games
- 142 General Discussion
- 239 Off Topic
- 7 505 Go Inc. Forum Rules
- 7 Forum Rules and Site Announcements