use https for more security

Unimatrix_0 · Sep 28th 2011, 8:47pm

Hi,

since GF seems to care a lil' bit more about the account-security [size=6][^1][/size] they should go a step further and use encrypted transmissions between the client and server.
Some may remember man-in-the-middle-attacks at public hotspots against non-encrypted sides. This would (not only but mainly) important at the login.

Pro: more security for the user

Con: some more server-ressources are used (important esp. at high-load multispeed universes)
gf have to pay for ssl-cert
some really rare combinations might be locked out (maybe an option like IP-check to turn ssl off could be a solution)

Even with all the negativ aspects i'd say that the improved security will worth the change and wouldn't wait until they hear about the first cracked accounts like Facebook or Twitter does.

the1337g33k · Sep 29th 2011, 9:44am

Paying for SSL certs is the real killer for this idea.

The way I see it, they have two options. Buy a cert for every server (terribly expensive) or encrypt logins to gameforge.com and force everyone to their games there.

Encryption (which if they do it for just the login, this won't be as much of a problem) has another con that you didn't mention. If the entire game was encrypted it would drastically increase the load on the servers having to encrypt everyone's traffic instead of just sending it.

marshen · Sep 29th 2011, 11:04am

you dont have to have a bought certificate. you can make your own even if its not trusted.

HelpLess · Sep 29th 2011, 12:47pm

I think it's a good idea to provide a secure login (not the whole game, just the login). As this mainly would be used by "experienced" users, it should be no problem to use self signed certs. Experienced users know how the handle self signed certs and the security remark when you open the page trough https.

5vor12 · Sep 29th 2011, 8:48pm

marshen wrote:

you dont have to have a bought certificate. you can make your own even if its not trusted.

Such thing from you? A normal user is unable to understand what the brwoser is telling him in such case and not disposed to set up a rule.

A trusted certificate is valid only for the subdomain, so for each universe an other one is needed, so it's realy expensive.

marshen · Sep 29th 2011, 10:18pm

5vor12 wrote:

Such thing from you? A normal user is unable to understand what the brwoser is telling him in such case and not disposed to set up a rule.

see

HelpLess wrote:

[...]it should be no problem to use self signed certs. Experienced users know how the handle self signed certs and the security remark when you open the page trough https.

like one of the previous posters told: could be optional and after account creation disabled.

5vor12 · Sep 30th 2011, 4:45pm

marshen wrote:

like one of the previous posters told: could be optional and after account creation disabled.

For account creation it could be useful in fact. I don't know the mechanery in detail for account creation - is this done by a central server or by universe-server?

marshen · Sep 30th 2011, 7:57pm

I didn't know it as well but you can find it in an javascript file on the starting page.

Francolino · Oct 18th 2011, 9:32pm

Would not be implemented, so rejected.

Share