Game Development: Mushroom Circle

[shubla]

-----------------------
[list]
[*] We are working on a bigger implementation. Might be a few weeks.

Enjoy!

World reset confirmed

No its not. If it was, why wouldn't they just announce it now and say that its in 3 months or something.

Its some object controlled objects related implementation if something.

[Nedim]

Just a comment passing by to say

Reset when ( ͡ಥ ͜ʖ ͡ಥ)

[Killshot47]

Rants about internet corporate control.

I 100% understand your arguments. SSL/TLS certs are borderline extortion and browser content screening isn't far off. That doesn't change the fact that the majority of internet users and consequentially new players are ignorant to that. It's a pointless hill to die on, those users will continue to be scared away regardless of your views of how fair it is. I can relate to your disgust of the whole thing but if the goal is simply "make the game attractive to newbies" then it is what it is. If the goal was to start a campaign against the status quo, then by all means... have at it

Back to lurking...

[strpk0]

Rants about internet corporate control.

I 100% understand your arguments. SSL/TLS certs are borderline extortion and browser content screening isn't far off. That doesn't change the fact that the majority of internet users and consequentially new players are ignorant to that. It's a pointless hill to die on, those users will continue to be scared away regardless of your views of how fair it is. I can relate to your disgust of the whole thing but if the goal is simply "make the game attractive to newbies" then it is what it is. If the goal was to start a campaign against the status quo, then by all means... have at it

Back to lurking...

Agreed. Right now the https version of this site is borderline unusable due to the self-signed certificate, meaning most people (myself included) just stick to the http version.
It truly sucks, but I think as a developer Jorbtar should weigh whether their personal (if understandable) views are more important than their user's safety and/or trust in this website and the game.

[shubla]

Agreed. Right now the https version of this site is borderline unusable due to the self-signed certificate, meaning most people (myself included) just stick to the http version.
It truly sucks, but I think as a developer Jorbtar should weigh whether their personal views are more important than their user's safety and/or trust in this website and the game.

Yeah forcing everyone to use https for their safety is modern and recommended.

If I've understood correctly, the reason why we don't have CA-approved certificate is that loftar himself doesn't want to trust these CA people/support the system but would rather sign the certificate by (also) himself? Which is with current standards impossible.

And its not only passwords. There is a big button to download an executable program on top of the site. Only losing your hnh passwords is the best scenario that can happen!

So does the stubborn reasoning justify endangering hundreds of peoples credentials, computers, files, as they happily connect in with unencrypted and vulnerable connection? Only to soon lose not only their HnH accounts, but also private messaging data via PM's and possibly other accounts having the same passwords, downloading hnh client only to have malware execute on their machines...

Maybe if custom client developers started to put large disclaimers into their clients about how careless devs are about their users safety...

[Killshot47]

Agreed. Right now the https version of this site is borderline unusable due to the self-signed certificate, meaning most people (myself included) just stick to the http version.
It truly sucks, but I think as a developer Jorbtar should weigh whether their personal views are more important than their user's safety and/or trust in this website and the game.

Yeah forcing everyone to use https for their safety is modern and recommended.

If I've understood correctly, the reason why we don't have CA-approved certificate is that loftar himself doesn't want to trust these CA people/support the system but would rather sign the certificate by (also) himself? Which is with current standards impossible.

And its not only passwords. There is a big button to download an executable program on top of the site. Only losing your hnh passwords is the best scenario that can happen!

So does the stubborn reasoning justify endangering hundreds of peoples credentials, computers, files, as they happily connect in with unencrypted and vulnerable connection? Only to soon lose not only their HnH accounts, but also private messaging data via PM's and possibly other accounts having the same passwords, downloading hnh client only to have malware execute on their machines...

Maybe if custom client developers started to put large disclaimers into their clients about how careless devs are about their users safety...

That's a bit overdramatic I think. There's no reason to assume the developer's methods are unsafe. As long as you're using the official client, unless Jorbtar wants to do something malicious (which is just shooting themselves in the foot), you're fine. It's just hard to prove your legitimacy to the "uneducated masses" without that "official" seal of approval. Those seals are held in reasonably high regard to most people, so it's just a good idea to adopt them if you're wanting their business imo.

- To be clear, I don't mean to insinuate unofficial clients are unsafe. Just that the official client is all Jorbtar can or will guarantee.

[shubla]

- To be clear, I don't mean to insinuate unofficial clients are unsafe. Just that the official client is all Jorbtar can or will guarantee.

Well I don't mean guaranteeing the client, but downloading it from a site protected by HTTPS and CA to further verify the authenticity of the download.

[MagicManICT]

- To be clear, I don't mean to insinuate unofficial clients are unsafe. Just that the official client is all Jorbtar can or will guarantee.

Well I don't mean guaranteeing the client, but downloading it from a site protected by HTTPS and CA to further verify the authenticity of the download.

That's the thing--it doesn't. The CA is just a method to guarantee the security of your connection to the server. Nothing is implied about the trustworthiness of the system you are connected to, even if that might have been the case in the past. Sites like letsencrypt are absolutely no different than having a self-signed certificate in terms of whether the site you are connecting to is safe or valid. There's just some oversight over the process, but with the ease they make getting a certificate, that oversight just makes it so a bad actor has to juggle things a bit more. Those with self-signed certificates may only have the oversight of the users, but they have the ability to report the site as fraudulent to search engines and such to get search hits pushed lower, even removed, or the site host or ISP that may actually shutter the site with enough complaints.

And the trustworthiness of 3rd party clients should be considered. We've certainly had bad actors in that regard in the past.

[shubla]

That's the thing--it doesn't. The CA is just a method to guarantee the security of your connection to the server.

If you are crossing a suspension bridge, do you not want to confirm that the planks are not rotten, even if you cannot confirm condition of the ropes?
Valid connection doesn't mean that the server has not been compromised. But in that case most of the hope is already lost.
Compromising the connection in some way is way more easy than taking control of the server (hopefully...).
Authenticity of the connection, is an important step towards security. Who has control of the server doesn't matter if you cannot be sure that you are even connecting to the right server, even if the original server was held by its intended owner.

Just because you cannot prevent something 100% doesn't mean that you shouldn't do the prevention of 99%

Sites like letsencrypt are absolutely no different than having a self-signed certificate in terms of whether the site you are connecting to is safe or valid.

You are either absolutely wrong or terribly , because that is not true.
The sole reason why CA's exists is that they help to verify the authenticity of the certificate and connection. And it has pretty good track records, billions and billions of CA verified https connections being made every day but not often you see these root certificates leak or something. Banks use them, governments use them etc. Is this all just a conspiracy of some greedy CA root holders? I doubt it.

Do you understand the problem here?
The problem is that I cannot know in any way if the certificate that this site offers to me really is loftars certificate, or if my connection to server has been compromised in some way, and it is a certificate offered by that malicious connection? If the certificate offered was signed for example by lets encrypt root certificate, I would have pretty strong reason to trust that either the connection is real or the certificate has been compromised, which is way more difficult to do than to compromise the connection. I could call loftar if I knew his number or send him email and hope to reach the real loftar who can then verify this simple fingerprint of 100 characters to be valid. But that is just very inconvenient because there are many users that frequently use this site, they cannot all call to loftar.

[Killshot47]

- To be clear, I don't mean to insinuate unofficial clients are unsafe. Just that the official client is all Jorbtar can or will guarantee.

Well I don't mean guaranteeing the client, but downloading it from a site protected by HTTPS and CA to further verify the authenticity of the download.

Yeah I get ya, we're on the same page I think. I meant those HTTPS and CA as the "official seals" that are coveted by people, sorry if my metaphor was terse. Even if they're entirely stupid, as MagicMan has pointed out, most people think they're important. IMO denying the concept everybody accepts is more foolish than adopting it if bringing in new users is even remotely a goal. It seems to me that it's just narrowing the market for silly reasons that have nothing to do with the game itself.