Homepage logon dangers.

[VDZ]

It protects against MITM attacks,

No it doesnt, MITM can just send fake certificate and the user gladly accepts it, because user has no way of knowing its authenticity, thus a self signed certificate provides no added security, if you cannot verify who assigned it.
One has to verify that the certificate is trusted and not a fake one. How do you think is the average, quite computer illiterate user meant to do that, easily and securely?

By giving that big 'warning you are being attacked' message when the certificate for a site unexpectedly changes, rather than when first receiving the certificate. The only way to perform a MITM then would be to have started the MITM attack before the user even accesses the site for the first time - a highly unlikely scenario in practice unless you've got the government after you or something.

[WojtylaKarol]

Suggesting that by using HTTPS, their passwords and credit card numbers will be stolen. There is no option to continue, only a 'back to safety' option implying the HTTPS connection is the opposite of safety. Should the user be brave enough to click Advanced in an attempt to proceed regardless, the browser further tries to persuade the user to use the unprotected HTTP connection instead:

HTTPS with unverified certificate is not any more secure than HTTP is, its more dangerous actually, as the user may think that he is safe, while he is not.

How is it not more secure? It protects against MITM attacks, especially if the browser just remembers the certificate (as they did in the past if you chose to have them do so; browser makers have since removed that option). If I give you my phone number, isn't it more secure to just call the number I gave you (at risk of the phone number given to you not belonging to me, if you met someone impersonating me first before you met me) even though it's not in the telephone directory, than it is to leave your message somewhere public where everyone can hear or read it?

Still, your previous statement is wrong, it is not any issue with browsers, it is normal behaviour for browsers to accept only the certificates signed by trusted providers aka CA.

Self issued certificates are not trusted by browsers for a good reason.

Why? I can understand they are more cautious with self-issued certificates than with certificates from trusted providers, but they're still a lot more secure than having no certificate at all. Currently browsers are convincing users that self-signed certificates are less secure than using an entirely unprotected connection, which is simply not true.

And the CA has the authority to revoke the certificate at any moment, making the userbase sure that if the certificate will be stolen by malicious side, they will still be protected. Otherwise the stolen certificate would be still accepted by the browser and the user would be sharing his private data with threat actors. Thats one example of why browsers don't accept self signed certificates anymore.

Stating that browsers are dumb in 2021 because they don't accept self signed certs is just having blindfolds on.

[shubla]

By giving that big 'warning you are being attacked' message when the certificate for a site unexpectedly changes, rather than when first receiving the certificate. The only way to perform a MITM then would be to have started the MITM attack before the user even accesses the site for the first time - a highly unlikely scenario in practice unless you've got the government after you or something.

Doesn't sound like a very suitable solution really. And I'm pretty sure that you can get MITM'd without any government being after you! Most people connect to any wifi if its free, named something like "mall public" and does not have password etc.

And the CA has the authority to revoke the certificate at any moment, making the userbase sure that if the certificate will be stolen by malicious side, they will still be protected.

I do wonder how that would happen.

[kiddoinc]

This is pretty worrisome. As a person that knows you all said a bunch of words but didnt understand any, how can I make sure I'm protecting my account? Use or not use http to site? when you google haven and hearth http is the first one to populate.

[WojtylaKarol]

This is pretty worrisome. As a person that knows you all said a bunch of words but didnt understand any, how can I make sure I'm protecting my account? Use or not use http to site? when you google haven and hearth http is the first one to populate.

If you use website as a knoledgeable guy and keep in mind that you're using https instead of http and that you're not reusing login data, aka not using same login/email/password pair (you should never use the same password to 2 different websites/services) you should be pretty safe. If you just type in haven and let the autocorrect fill in the rest, you could share the password with unwanted parties. And thats exactly why you should use separate password for every webside on the internet.

[VDZ]

And the CA has the authority to revoke the certificate at any moment, making the userbase sure that if the certificate will be stolen by malicious side, they will still be protected. Otherwise the stolen certificate would be still accepted by the browser and the user would be sharing his private data with threat actors. Thats one example of why browsers don't accept self signed certificates anymore.

That is only applicable if the cert gets stolen (highly unlikely and a massive fuckup), and only if the MITM occurs before the site has presented a new certificate to replace the old one. (Not to mention CA certificates and self-signed certificates aren't mutually exclusive - sites like banks could use CA certs if insta-revoking is a requirement, whereas basically everyone else can use self-signed certs. Really, what's the chance, assuming havenandhearth.com's cert gets stolen, that someone would MITM a Haven player and spoof havenandhearth.com, and all that before the player next visits havenandhearth.com in an environment without a MITM?)

By giving that big 'warning you are being attacked' message when the certificate for a site unexpectedly changes, rather than when first receiving the certificate. The only way to perform a MITM then would be to have started the MITM attack before the user even accesses the site for the first time - a highly unlikely scenario in practice unless you've got the government after you or something.

Doesn't sound like a very suitable solution really. And I'm pretty sure that you can get MITM'd without any government being after you! Most people connect to any wifi if its free, named something like "mall public" and does not have password etc.

What is the chance of someone connecting to a site where they could enter sensitive information for their first time on a public network and there's a MITM on that network, the MITM convincingly spoofing that site, and the user entering sensitive data into that site on their very first visit? The moment they leave the network the whole situation comes to light, so there is a very short window of opportunity to actually do anything (plus literally everyone else notices there's a MITM on that public network). The only way to make actual use of this would be if you could MITM someone's usual connection, like planting a MITM at the service provider, but you need to be a government or similarly influential entity to pull that off.

[jordancoles]

So, basically, Loftar is being stubborn and potentially risking everyones' security in the process? :shockedpikachu:

Also I asked Jorb about this a while ago


I guess the decision is to sit on their hands for now ¯\_(ツ)_/¯

[kiddoinc]

well what the actual fudge. what is the benefit of not using an actual security thing? I am super not tech savy and this kind of stuff is just such a turn off for a pretty neat game. jeez i just want to play a game not worry about my identity being stolen.

Like no amount of neat new birds is worth that kind of risk... would be nice to hear from devs why a security threat is fine and gravy.

[kmarad]

H&H forums not being certified is bad clearly, let's encrypt helps a lot with free certificates, and is very easy to implement using certbot.
There is clearly no reason not to make users connection safer, I entirely agree with OP.

Then, I must say that seeing Shubla spitting on H&H privacy is kind of a joke.
When you deliberately steal players data you should just shut the fuck up on this kind of topic IMHO.

[kiddoinc]

Not accusing shubla of anything but knowing there are bad actors out there and still leaving what appears to be a huge whole in security is super super disappointing. I friggin love this game but this is seriously an issue, like is this whole site a honeypot?

What is the benefit to them of not applying the security thing? It sounds like there are free alternatives.