Homepage logon dangers.

[WojtylaKarol]

Spoofing attack is so easy to do that its a real threat.

But it isn't. Pulling off a MITM attack by itself is pretty hard already, managing to spoof traffic adds a further layer of complication, and actually doing it convincingly is actually very difficult. I can't go into details because NDAs and such, but I'm a reverse engineer (purely software, I don't actually deal with network tampering) and have to work on adding compatibility layers/spoofing results every now and then. It often seems simple but there are so, so many things you can do wrong and every tiny mistake is likely to cause the whole thing to come crashing down - and that's typically without security measures in place to prevent tampering. That's usually fine when working with local software (you just sigh, restart the program and get it back into the state you were working on) but incredibly complicated when one half of the equation is not under your control (you just have to hope your target's environment is sufficiently similar to the environment you tested it on). If there's also the fact that you can get arrested for screwing up then you're really playing with fire.

Yeah very hard XD Like using a common vulnerability to infect router of a player (which almost nobody will update their software on, unless its a managed service). And now normal websites that have normal certificate and HSTS enabled are still safe while this one is not. Simplest example of your SUPER COMPLEX attack. You don't need to reverse a thing. And reverse engineering expertise in here has nothing to do with the topic.

[kiddoinc]

Stop it, nerds. Idk what you're arguing about. It's just not normal that I can't enter website without clicking special buttons telling something about certificates and bad security.

This is how it is for the non tech savy's here. It really isn't normal, I visit many websites and I have 1 only that gives me these special announcements. Doesn't seem normal at all.

[jordancoles]

The bottom line is that it will turn away people who are not familiar with the game or invested in their accounts/time here. It should be fixed and I'm not sure why it wouldn't be a priority. It's a loss of revenue and exposure.

[kmarad]

I don't quite understand why there is 6 pages here.
H&H' website doesn't use TLS, that's a security issue, period. There is nothing much to discuss.

[VDZ]

I don't quite understand why there is 6 pages here.
H&H' website doesn't use TLS, that's a security issue, period. There is nothing much to discuss.

But it does...and browsers complain about it...that's what the 6 pages of discussion are about.

[kmarad]

But it does...and browsers complain about it...that's what the 6 pages of discussion are about.

Ah true that, my bad. Self-signed certificate. Perfectly valid security wise. Fuck browsers.
Then yes, let's encrypt and their certbot can fix that in a giffy with commonly accepted certificates.

Though really, I kind of like this self signed certificate. SSL and TLS have been a way for internet authorities to tax people.
Long life let's encrypt and self-signed certificates.

BTW, http traffic should be automatically redirected to https.

[shubla]

I don't quite understand why there is 6 pages here.
H&H' website doesn't use TLS, that's a security issue, period. There is nothing much to discuss.

But it does...and browsers complain about it...that's what the 6 pages of discussion are about.

No its not valid at all and thats what literally everbody else has been saying you for the last 6 pages but you refuse to reason.

[WojtylaKarol]

I don't quite understand why there is 6 pages here.
H&H' website doesn't use TLS, that's a security issue, period. There is nothing much to discuss.

But it does...and browsers complain about it...that's what the 6 pages of discussion are about.

No its not valid at all and thats what literally everbody else has been saying you for the last 6 pages but you refuse to reason.

That.
It was the correct way to do stuff 10 years ago. Not nowdays. Security is getting more and more demanding due to complex nature of attacks, and everybody needs to adapt. Browsers don't force use of trusted CAs for no reason.

[Glorthan]

The bottom line is that it will turn away people who are not familiar with the game or invested in their accounts/time here. It should be fixed and I'm not sure why it wouldn't be a priority. It's a loss of revenue and exposure.

No it's far more important to wax lyrical about the evils of setting up let's encrypt.

Just ignore that:
- the average user will land here from Google, which returns the http site (try it!). Probably because it's not using a proper certificate, which is basically for internal org managed sites only.
- the average user will not know how to install random untrusted certs.
- using let's encrypt or keeping your website in the dark ages will progress nobody's agenda either way.

It's a terrible attitude, but some people prefer semantics over user safety.

[MagicManICT]

It's a terrible attitude, but some people prefer semantics over user safety.

Overall, it's up to the developers and publishers of a website on how, even if, they want to grow. If they actively choose to do things one way or another, then people need to take that into consideration. You're not just playing a game. You're buying into a piece of the company that develops and publishes it. While we're talking about Haven and jorb and loftar, we're also talking about any other software company out there.

Again, I agree that the status quo is terrible for the growth of Haven. There are too many, for the lack of a better word at the moment, Luddites who don't understand network security and refuse to learn anything. I consider myself read up on it, and I'm an idiot when it comes to the fine details.

I know enough to know the CA system is as much as scam as it is a means to allow confidence in using the Web for commerce. Without it, we wouldn't have all the online banking and retailers. With it, we get stuck in a technology that isn't the best thing currently. Do not be fooled, though. It is a house of cards, and one wrong move will collapse it. (Actually, a Jenga tower would probably be a more apt metaphor.) The problem with changing at this point is so much has been developed and so many holes plugged, new systems will effectively make the whole thing worse for the foreseeable future. As another example, much of the world's banking systems still run on COBOL code written in the 1960s because it's riskier to change the outdated system and pay huge salaries to the few remaining COBOL experts than toupgrade and make something faster.