Homepage logon dangers.

[jordancoles]

Not accusing shubla of anything but knowing there are bad actors out there and still leaving what appears to be a huge whole in security is super super disappointing. I friggin love this game but this is seriously an issue, like is this whole site a honeypot?

Loftar has been farming bitcoin through our clients for years, which is why the game lags so badly at times. That's when he transfers the gains to his coin purse

[kiddoinc]

Not accusing shubla of anything but knowing there are bad actors out there and still leaving what appears to be a huge whole in security is super super disappointing. I friggin love this game but this is seriously an issue, like is this whole site a honeypot?

Loftar has been farming bitcoin through our clients for years, which is why the game lags so badly at times. That's when he transfers the gains to his coin purse

Not sure if you are serious. But like couldnt someone with the knowhow "camp" the site and farm our info?

[kiddoinc]

Also pardon my ignorance but what kind of information is available? Like my username and emails, possibly any other stuff like credit card or paypal if I used it on the site. Or is using this site compromising details I use on other sites?

[VDZ]

well what the actual fudge. what is the benefit of not using an actual security thing? I am super not tech savy and this kind of stuff is just such a turn off for a pretty neat game. jeez i just want to play a game not worry about my identity being stolen.

It is using an 'actual security thing'. To return to my phone analogy: HTTP is like shouting a conversation to each other from a distance, and people who are nearby may hear it. HTTPS compared to that is like having a phone call, which cannot be overheard unless the person is like right next to you (e.g. has access to your PC). Certificate Authorities are like telephone directories, if you get someone's number it will probably be listed in it and will have that person's name written next to it, and as you can trust the telephone directory to be correct you know that number actually belongs to that person. The Haven & Hearth site's phone number is not listed in any of the phone books, but the more private phone call method works fine even if you can't double-check the phone book to verify it's the right number. What modern browsers do is, when you 'dial the number' they shout in your face that THIS IS NOT LISTED IN THE PHONE BOOK SO IT MUST BE FAKE AND TRYING TO HACK YOU while it's a perfectly valid number that works fine. As such, they push users towards the 'shouting from a distance' method by discouraging the phone call method. Posters in this thread are arguing that the phone call method for unlisted numbers is unsafe because what if their phone gets stolen by someone else and they're going to make phone calls pretending to be them?! A theoretical possibility that's never going to happen in practice (and in the extremely unlikely case it would, all they'd have to do is give you their new number).

The data that could theoretically get stolen, should you be using a public network and using the 'shouting from a distance' method (HTTP, rather than HTTPS which browsers try to discourage you from using here) and if someone on that same network (so in the same area) went through the trouble of setting up a fake Haven & Hearth website you would confuse for the real one, is whatever you're sending to the site. That is: your Haven username, your Haven password, any images you upload to this site, and your forum posts. Nothing you do not send to the Haven & Hearth website server could be stolen this way. But all of that is irrelevant in practice because nobody's going to set up a fake H&H website, especially nobody physically close to you (as you'd need to be on the same network), and if you are paranoid enough to be afraid of that it can be solved by just using HTTPS despite your browser protesting against it.

EDIT: As for payment details, all of that is handled by an external company specialized in that (Xsolla), and they are 'listed in the phone book'.

[kiddoinc]

Thank you for easing my concerns somewhat. The explanation of the telephone works for me. Still think its worth fixing though people aren't going to scrounge through these forums to figure out its kinda ok because its super unlikely to happen. People will see that error and walk away not even giving this a chance.

[MagicManICT]

Still, your previous statement is wrong, it is not any issue with browsers, it is normal behaviour for browsers to accept only the certificates signed by trusted providers aka CA.

While this is a Haven issue, the wording and level of panic is a browser issue. Just ask Microsoft about poorly worded and poorly implemented warning labels. I completely agree that if Haven wants to attract players and grow, it needs to do what it can so their potential players aren't immediately turned off. Conversely, clearly there needs to be better education on what computer security is and means.

Self issued certificates are just fine if you can trust the issuer. In fact, they are more secure in many ways as there isn't a central repository that can be hacked to spoof the validation process. If you can trust the software a website is offering without much question, then you should be able to trust the certificate, as the software is going to do much, much more damage if its intent is malicious.

[shubla]

[
there's a MITM on that network, the MITM convincingly spoofing that site, and the user entering sensitive data into that site on their very first visit?

Basing security on "surely no one will attempt this attack" is not a very accepted way of thought. Also, you can "convincingly" spoof all sites automatically, so it doesn't matter which site the user will visit, he will get to listen all the communications. The whole idea of CA verified certificates is to prevent this. Without authenticity of the certificate, the MITM can just forward nearly exactly the data that the user sent to him to the site, and then forward the data to the user that the site sent, and user has no way of knowing that it all is completely unencrypted and saved for evil purposes in the middle.

what is the benefit of not using an actual security thing? I a

Loftar gets to enforce his opinions about certificate authorities and technologies, and does not support the evil babylon plots!

[Zentetsuken]

the only legitimate security threat found on this website is shubla's client

as long as you use clients from trusted users you have absolutely nothing to worry about security-wise on this website

[Glorthan]

Quite simply, the developers are a bit "special" and also have a strong sense of NIH syndrome. for these reasons they can justify supporting their esoteric lofty ideals at the expense of the safety of their userbase. it's extremely unprofessional but this is a hobbyist game, and professionalism isn't exactly widespread in the games industry to start with.

just consider your site password public information and use one of the third party payment providers for the store. such is the line we are forced to walk.

[Zentetsuken]

this thread reads like a handful of shubla alts

probably best if it gets moved out of C&I so it can shit up another subforum that doesn't get posted in so often