Homepage logon dangers.

[shubla]

Posters in this thread are arguing that the phone call method for unlisted numbers is unsafe because what if their phone gets stolen by someone else and they're going to make phone calls pretending to be them?! A theoretical possibility that's never going to happen in practice

Of course you know better than literally every browser and security expert in existence. There is a reason why HTTPS is so much enforced. These attacks happen, its not theoretical, its a real threat for many people. Connecting to untrusted wifis, or messing up configuration so that you connect to wrong wifi without even knowing about it, is probably the biggest risk, but there are others. This game has thousands of users, its not like everybody would just be in their parents basement, never going outside to meet possibly unprotected networks!

I've logged into forums from VERY suspicious places, using my own server as a vpn of course, but many don't and they are at serious risk.

Self issued certificates are just fine if you can trust the issuer. In fact, they are more secure in many ways as there isn't a central repository that can be hacked to spoof the validation process. If you can trust the software a website is offering without much question, then you should be able to trust the certificate, as the software is going to do much, much more damage if its intent is malicious.

Isn't the problem precisely that we do not know if we can trust the issuer, how can I know if 62 29 D5 9F 8C 75 E2 73 3A 31 D7 2A 9F DF 9C 34
89 45 6D 5A is loftar or somebody who just pretends to be him? Even If I could somehow manually check it, its quite tedious to do this as I log on from different devices and different browsers.

central repository that can be hacked to spoof the validation process

Certainly there are some problems with Ca's being either hacked or just being held by suspicious entities, but in general the system works quite well and there aren't any feasible alternatives as of yet, yea yea all kinds of web of trust ideas exist but they are not practical with average users to be honest.

[BoxingRock]

nice meme shubs, if anybody wants to see just how much shubla really cares about security, go search the word "security" or browse the newest 15 or so pages of his client thread in Wizard Tower. Understand that users in this community were morally obligated to released an ethically sourced version of his client and that the devs themselves commented about how he is logging information that he shouldn't be



this is not a critique thread, OP is an obvious shubla alt, its just a desperate attempt for shubla to make a hilariously hypocritical security scare shitpost thread which hes done many times in the past

can a mod please move this to IoB so it can stop being used to flood out good idea threads?

[WojtylaKarol]

And the CA has the authority to revoke the certificate at any moment, making the userbase sure that if the certificate will be stolen by malicious side, they will still be protected. Otherwise the stolen certificate would be still accepted by the browser and the user would be sharing his private data with threat actors. Thats one example of why browsers don't accept self signed certificates anymore.

That is only applicable if the cert gets stolen (highly unlikely and a massive fuckup), and only if the MITM occurs before the site has presented a new certificate to replace the old one. (Not to mention CA certificates and self-signed certificates aren't mutually exclusive - sites like banks could use CA certs if insta-revoking is a requirement, whereas basically everyone else can use self-signed certs. Really, what's the chance, assuming havenandhearth.com's cert gets stolen, that someone would MITM a Haven player and spoof havenandhearth.com, and all that before the player next visits havenandhearth.com in an environment without a MITM?)

XD Sure, because haven has super secure development infrastructure and the private key is safer than in any other organisation in the world. I don't know if you realised we are living in 2021 where security breaches happen even to developers of Solarwinds business class software. But no, here we're safe because of some kind of magic barrier.

That's exactly why the browsers alerts on your webpage, you don't adhere to 2021 security posture like other webpages adapted to years ago.

[WojtylaKarol]

nice meme shubs, if anybody wants to see just how much shubla really cares about security, go search the word "security" or browse the newest 15 or so pages of his client thread in Wizard Tower. Understand that users in this community were morally obligated to released an ethically sourced version of his client and that the devs themselves commented about how he is logging information that he shouldn't be



this is not a critique thread, OP is an obvious shubla alt, its just a desperate attempt for shubla to make a hilariously hypocritical security scare shitpost thread which hes done many times in the past

can a mod please move this to IoB so it can stop being used to flood out good idea threads?

Man XD i am a new player of the game, barely used an alternative client reccomended by a friend, but i have cybersecurity knowledge and seriously wondered why the website is working the way it is.

[WojtylaKarol]

well what the actual fudge. what is the benefit of not using an actual security thing? I am super not tech savy and this kind of stuff is just such a turn off for a pretty neat game. jeez i just want to play a game not worry about my identity being stolen.

It is using an 'actual security thing'. To return to my phone analogy: HTTP is like shouting a conversation to each other from a distance, and people who are nearby may hear it. HTTPS compared to that is like having a phone call, which cannot be overheard unless the person is like right next to you (e.g. has access to your PC). Certificate Authorities are like telephone directories, if you get someone's number it will probably be listed in it and will have that person's name written next to it, and as you can trust the telephone directory to be correct you know that number actually belongs to that person. The Haven & Hearth site's phone number is not listed in any of the phone books, but the more private phone call method works fine even if you can't double-check the phone book to verify it's the right number. What modern browsers do is, when you 'dial the number' they shout in your face that THIS IS NOT LISTED IN THE PHONE BOOK SO IT MUST BE FAKE AND TRYING TO HACK YOU while it's a perfectly valid number that works fine. As such, they push users towards the 'shouting from a distance' method by discouraging the phone call method. Posters in this thread are arguing that the phone call method for unlisted numbers is unsafe because what if their phone gets stolen by someone else and they're going to make phone calls pretending to be them?! A theoretical possibility that's never going to happen in practice (and in the extremely unlikely case it would, all they'd have to do is give you their new number).

The data that could theoretically get stolen, should you be using a public network and using the 'shouting from a distance' method (HTTP, rather than HTTPS which browsers try to discourage you from using here) and if someone on that same network (so in the same area) went through the trouble of setting up a fake Haven & Hearth website you would confuse for the real one, is whatever you're sending to the site. That is: your Haven username, your Haven password, any images you upload to this site, and your forum posts. Nothing you do not send to the Haven & Hearth website server could be stolen this way. But all of that is irrelevant in practice because nobody's going to set up a fake H&H website, especially nobody physically close to you (as you'd need to be on the same network), and if you are paranoid enough to be afraid of that it can be solved by just using HTTPS despite your browser protesting against it.

EDIT: As for payment details, all of that is handled by an external company specialized in that (Xsolla), and they are 'listed in the phone book'.

What you said about HTTP/S is a good alegory but don't forget to tell that user, that my whole post is that your webpage by DEFAULT choses shouting from distance over the phonecall due to poor security posture of the developer. Tell that user that if he wants to have it done by "phonecall" he should type in https:// because as i stated in the first post, you don't REDIRECT users from "shouting" to "calling" like every single webpage in 2021 does.

[terechgracz]

nice meme shubs, if anybody wants to see just how much shubla really cares about security, go search the word "security" or browse the newest 15 or so pages of his client thread in Wizard Tower. Understand that users in this community were morally obligated to released an ethically sourced version of his client and that the devs themselves commented about how he is logging information that he shouldn't be



this is not a critique thread, OP is an obvious shubla alt, its just a desperate attempt for shubla to make a hilariously hypocritical security scare shitpost thread which hes done many times in the past

can a mod please move this to IoB so it can stop being used to flood out good idea threads?

I can confirm that WojtylaKarol is shubla's alt. Because Im artificial intelligence made by shubla using distributed PurusPasta computing power to control such alts. Get humbled or you'll join our alt army.

[Procne]

Can a browser differentiate between a website with a self-signed certificate, and a MITM using a self-signed certificate to pretend to be that website?

[WojtylaKarol]

Can a browser differentiate between a website with a self-signed certificate, and a MITM using a self-signed certificate to pretend to be that website?

You would have to set up HSTS to prevent from that.
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security

This would be next step to secure the website properly.

[shubla]

Can a browser differentiate between a website with a self-signed certificate, and a MITM using a self-signed certificate to pretend to be that website?

No, and that is the problem with using self signed certificates.

By using CA signed certificate, that CA guarantees that the certificate has been created by real owner of the site, they verify this before giving you the certificate. After that it is of course your own responsibility to keep the private key safe, but no one else can get new valid certificate to your site from these CA's.

[VDZ]

Also, you can "convincingly" spoof all sites automatically, so it doesn't matter which site the user will visit, he will get to listen all the communications.

Sure, if you want to immediately alert literally everyone visiting literally any site via HTTPS on the network that the network is compromised. (As a reminder, tampering with secure communications is a crime in every developed country, doing so on such a large scale is guaranteed to get you a pretty severe punishment, and this method requires physical proximity to the targets.)

just consider your site password public information and use one of the third party payment providers for the store. such is the line we are forced to walk.

In practice, no information has ever been stolen via this site in this way, and it's extremely unlikely any information will ever be stolen via this site in this way.

Posters in this thread are arguing that the phone call method for unlisted numbers is unsafe because what if their phone gets stolen by someone else and they're going to make phone calls pretending to be them?! A theoretical possibility that's never going to happen in practice

Of course you know better than literally every browser and security expert in existence. There is a reason why HTTPS is so much enforced. These attacks happen, its not theoretical, its a real threat for many people.

They're quite rare, actually. At this point damage from CA breaches has probably exceeded damage from self-signed certificate breaches (even with browsers trying to sabotage the latter). (And certainly not 'every security expert' - many dislike this system, which is why alternatives exist.)

XD Sure, because haven has super secure development infrastructure and the private key is safer than in any other organisation in the world.

Isn't the problem precisely that we do not know if we can trust the issuer, how can I know if 62 29 D5 9F 8C 75 E2 73 3A 31 D7 2A 9F DF 9C 34
89 45 6D 5A is loftar or somebody who just pretends to be him? Even If I could somehow manually check it, its quite tedious to do this as I log on from different devices and different browsers.

The last time you saw Loftar he didn't have a beard and his hair color was different. That should tip you off that this might not be Loftar. This is sabotaged by browsers now as they will no longer let you remember what Loftar looks like, and instead you have to rely on some external authority to tell you what Loftar looks like. And said external authorities have, in the past, been breached before and used precisely for this kind of impersonation.

What you said about HTTP/S is a good alegory but don't forget to tell that user, that my whole post is that your webpage by DEFAULT choses shouting from distance over the phonecall due to poor security posture of the developer. Tell that user that if he wants to have it done by "phonecall" he should type in https:// because as i stated in the first post, you don't REDIRECT users from "shouting" to "calling" like every single webpage in 2021 does.

(To make sure there's no confusion: I'm not a developer of this game, this site is Loftar and Jorb's. I just fully agree with them that browser handling of self-signed certificates is bullshit and my own personal site also has a self-signed certificate.)

The reason users are forced to the 'shouting from a distance' version of the site by default is because browsers have sabotaged self-signed certificates and will tell the user YOU ARE BEING HACKED if you redirect them to the HTTPS version. I'm sure everyone using self-signed certificates would prefer to redirect to HTTPS by default, but the browsers won't let us.

Can a browser differentiate between a website with a self-signed certificate, and a MITM using a self-signed certificate to pretend to be that website?

They used to be able to as they would store the certificate and alert you if you later visit the site again and the certificate was not the one it stored. But they've specifically removed that in order to force people to use centralized CA certificates.