Gamependium Warning

XandorXerxes
XandorXerxes Posts: 340 Mover and Shaker
edited December 2015 in Off Topic
So I was poking around Gamependium and noticed that all traffic is sent via HTTP, not HTTPS. I took a look at the source code of the login page just to be sure, and there is no encryption specified anywhere. That means what then you log in, your password is sent in clear text to the web server (anyone who can see your traffic can read it and know it immediately). It's also possible that the web server isn't hashing passwords on their end either, but it's being hosted by a cloud solution so that's unlikely.

If you reuse your password anywhere else, you may want to change your password on that other site. Not using HTTPS is a fatal flaw in terms of security, so assume that password is already compromised. That's not to say don't use the site - just use the site knowing that any information you send it can be and is likely being read by many other people, so make the information you send it disposable.

Comments

  • fight4thedream
    fight4thedream GLOBAL_MODERATORS Posts: 1,908 Chairperson of the Boards
    While not directly tied to MPQ, I know quite a few of our forum members use that site for various purposes including registering their rosters. I am going to sticky this for 10 days to help get the word out and then moving this to Off-Topic. I am also considering adding a notice in the FAQ. However, in the future if you see anyone mentioning Gamependium please be kind and pass the word on.

    Thanks XandorXerxes for looking out!

    Your friendly neighborhood fight4thedream
  • Cymmina
    Cymmina Posts: 413 Mover and Shaker
    I don't want anyone to think I'm ignoring the problem, I've actually commented on this issue already. I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time. However, Let's Encrypt, which offers free certificates, has announced that they are going to start their public beta on December 5th (just over a week from now). Once they do, it shouldn't take more than a few days to get it setup (I hope).

    BTW, passwords and the "remember me" auto login tokens are hashed using the Blowfish encryption algorithm, not stored as plain text.
  • ragnarady
    ragnarady Posts: 70 Match Maker
    Cymmina wrote:
    I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.

    BTW, can't you guys update all outdated covers used in roster composition (i.e. Star Lord, IW, Dakens, Ares and so on)? Don't get me wrong, your site is brilliant as it is, but it can be even better icon_e_wink.gif
  • Malcrof
    Malcrof Posts: 5,971 Chairperson of the Boards
    ragnarady wrote:
    Cymmina wrote:
    I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.

    BTW, can't you guys update all outdated covers used in roster composition (i.e. Star Lord, IW, Dakens, Ares and so on)? Don't get me wrong, your site is brilliant as it is, but it can be even better icon_e_wink.gif

    For anything not related to the OP, please use the official gamependium thread here: viewtopic.php?f=6&t=31051


    Thanks.
  • Cypr3ss
    Cypr3ss Posts: 155 Tile Toppler
    Cymmina wrote:
    I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time.

    Ok, well then it's time to have another talk with your partner/server admin (and maybe consider a new server admin).

    You can acquire a free cert here: https://ssl.comodo.com/free-ssl-certificate.php that will do everything you need.

    Regards,
    Cypr3ss.
  • I noticed you use nginx for your server proxy. Here are the instructions on how to install a Comodo SSL certificate on Nginx. I've done this before with the free certificate so I'd be happy to help out if you want.

    https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/789/37/certificate-installation-nginx
  • fight4thedream
    fight4thedream GLOBAL_MODERATORS Posts: 1,908 Chairperson of the Boards
    Now this is what I am talking about! Members helping out other members! Makes ya feel all warm and fuzzy inside doesn't it? icon_e_smile.gif

    Hey don't forget you're moving this off topic thread to off topic in the next few days.

    Way to spoil the moment, mod me. icon_mad.gif

    Just doing my job dude.

    Anywhoo, if you have any other useful advice or wish to be of help, please feel free.

    Your friendly neighborhood fight4thedream
  • stochasticism
    stochasticism Posts: 1,181 Chairperson of the Boards
    Cymmina wrote:
    I don't want anyone to think I'm ignoring the problem, I've actually commented on this issue already. I've discussed this with my partner/server admin, and he's unwilling to purchase a certificate at this time. However, Let's Encrypt, which offers free certificates, has announced that they are going to start their public beta on December 5th (just over a week from now). Once they do, it shouldn't take more than a few days to get it setup (I hope).

    BTW, passwords and the "remember me" auto login tokens are hashed using the Blowfish encryption algorithm, not stored as plain text.

    Let's Encrypt is now in public beta.