kiddoinc wrote:well what the actual fudge. what is the benefit of not using an actual security thing? I am super not tech savy and this kind of stuff is just such a turn off for a pretty neat game. jeez i just want to play a game not worry about my identity being stolen.
It
is using an 'actual security thing'. To return to my phone analogy: HTTP is like shouting a conversation to each other from a distance, and people who are nearby may hear it. HTTPS compared to that is like having a phone call, which cannot be overheard unless the person is like right next to you (e.g. has access to your PC). Certificate Authorities are like telephone directories, if you get someone's number it will probably be listed in it and will have that person's name written next to it, and as you can trust the telephone directory to be correct you know that number actually belongs to that person. The Haven & Hearth site's phone number is not listed in any of the phone books, but the more private phone call method works fine even if you can't double-check the phone book to verify it's the right number. What modern browsers do is, when you 'dial the number' they shout in your face that THIS IS NOT LISTED IN THE PHONE BOOK SO IT MUST BE FAKE AND TRYING TO HACK YOU while it's a perfectly valid number that works fine. As such, they push users towards the 'shouting from a distance' method by discouraging the phone call method. Posters in this thread are arguing that the phone call method for unlisted numbers is unsafe because what if their phone gets stolen by someone else and they're going to make phone calls pretending to be them?! A theoretical possibility that's never going to happen in practice (and in the extremely unlikely case it would, all they'd have to do is give you their new number).
The data that could theoretically get stolen, should you be using a public network and using the 'shouting from a distance' method (HTTP, rather than HTTPS which browsers try to discourage you from using here) and if someone on that same network (so in the same area) went through the trouble of setting up a fake Haven & Hearth website you would confuse for the real one, is whatever you're sending to the site. That is: your Haven username, your Haven password, any images you upload to this site, and your forum posts. Nothing you do not send to the Haven & Hearth website server could be stolen this way. But all of that is irrelevant in practice because nobody's going to set up a fake H&H website, especially nobody physically close to you (as you'd need to be on the same network), and if you are paranoid enough to be afraid of that it can be solved by just using HTTPS despite your browser protesting against it.
EDIT: As for payment details, all of that is handled by an external company specialized in that (Xsolla), and they are 'listed in the phone book'.