Dominion Strategy Forum

Please login or register.

Login with username, password and session length
Pages: 1 ... 4 5 [6] 7 8 ... 14  All

Author Topic: Dominion Online Open Beta coming up shortly!  (Read 97305 times)

0 Members and 1 Guest are viewing this topic.

AdamH

  • Margrave
  • *****
  • Offline Offline
  • Posts: 2833
  • Shuffle iT Username: Adam Horton
  • You make your own shuffle luck
  • Respect: +3879
    • View Profile
    • My Dominion Videos
Re: Dominion Online Open Beta coming up shortly!
« Reply #125 on: June 13, 2015, 09:07:07 am »
+6

What's more interesting is that in the logs I can find password in plain text. The whole network communication is also logged. :-\
Quote
LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"matste", "password":"********"}

WHAT??!?!??!?!

Are you serious?! You're kidding, right? That's completely unacceptable.

Unbelievable. I'm actually furious right now.
Logged
Visit my blog for links to a whole bunch of Dominion content I've made.

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #126 on: June 13, 2015, 10:07:37 am »
0

What's more interesting is that in the logs I can find password in plain text. The whole network communication is also logged. :-\
Quote
LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"matste", "password":"********"}

WHAT??!?!??!?!

Are you serious?! You're kidding, right? That's completely unacceptable.

Unbelievable. I'm actually furious right now.

Before I get furious, I want clarification.... are you talking about your actual account password that you had to give when you signed up? The one that you had to pick because for some stupid reason SSO with Google wasn't implemented even though Goko had it? And where are these logs?
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #127 on: June 13, 2015, 10:09:23 am »
0

Also, are purchases supposed to be carried over? I had half of Prosperity on Goko (because they gave me some free Gokoins for being a tester)... but this says I only have the base set.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

Accatitippi

  • Saboteur
  • *****
  • Offline Offline
  • Posts: 1153
  • Shuffle iT Username: Accatitippi
  • Silver is underraided
  • Respect: +1795
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #128 on: June 13, 2015, 10:16:14 am »
0

Also, are purchases supposed to be carried over? I had half of Prosperity on Goko (because they gave me some free Gokoins for being a tester)... but this says I only have the base set.
Yes they should be carried over (of course!!). EDIT: looking at the new store it seems they're abandoning the old "buy expansions bit by bit" model, and half-expansions do not exist any more. Maybe you can ask for a ducat refund/fix? :/

I looked at the log file in the installation directory, and a quick search for "Accatitippi" gave no results.
matste is probably referring to some other logs. If it's true it is a big one. Now if it turns out that they are also sending/storing passwords in plain text it will be just like Goko's launch.
« Last Edit: June 13, 2015, 10:19:08 am by Accatitippi »
Logged

-Stef-

  • 2012 & 2016 DS Champion
  • *
  • Offline Offline
  • Posts: 1574
  • Respect: +4419
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #129 on: June 13, 2015, 10:28:36 am »
+2

I don't know if I should be very sad or very pissed. I don't feel like doing either.

Considering to stop playing dominion online altogether now :(
Logged
Join the Dominion League!

liopoil

  • Margrave
  • *****
  • Offline Offline
  • Posts: 2587
  • Respect: +2479
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #130 on: June 13, 2015, 10:32:20 am »
0

I'm feeling cautiously optimistic that when I get back in 6 weeks things will be better.
Logged

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #131 on: June 13, 2015, 10:35:27 am »
+4

I'm feeling cautiously optimistic that when I get back in 6 weeks things will be better.

If they are really storing my password in plain text, then no amount of improvement or promises will get me to trust them enough to play their game again. Any company that does something like that has no business still existing as a software company.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

Seprix

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 5607
  • Respect: +3676
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #132 on: June 13, 2015, 10:38:22 am »
0

Plaintext password log ins are completely terrible.

People are actually forgetting this is beta. Is it bad? Yes. Will it get better? Yes! It's been out for what, like three days?

I'm feeling cautiously optimistic that when I get back in 6 weeks things will be better.

If they are really storing my password in plain text, then no amount of improvement or promises will get me to trust them enough to play their game again. Any company that does something like that has no business still existing as a software company.

Which is why they had better fix it. ASAP. If we all send messages, they'll hopefully fix it.

Why am I saying hopefully...? Man, it's hard being optimistic right now...
Logged
DM me for ideas on a new article, either here or on Discord (I check Discord way more often)

Seprix

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 5607
  • Respect: +3676
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #133 on: June 13, 2015, 10:40:46 am »
+1

Like seriously though. I'm not touching the beta again until they fix that security breach.
Logged
DM me for ideas on a new article, either here or on Discord (I check Discord way more often)

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #134 on: June 13, 2015, 10:43:09 am »
+5

Plaintext password log ins are completely terrible.

People are actually forgetting this is beta. Is it bad? Yes. Will it get better? Yes! It's been out for what, like three days?

I'm feeling cautiously optimistic that when I get back in 6 weeks things will be better.

If they are really storing my password in plain text, then no amount of improvement or promises will get me to trust them enough to play their game again. Any company that does something like that has no business still existing as a software company.

Which is why they had better fix it. ASAP. If we all send messages, they'll hopefully fix it.

Why am I saying hopefully...? Man, it's hard being optimistic right now...

The thing is, implementing basic security in regards to logons isn't a feature that needs to be added after you have a non-correct login system in place. It's not like you should or would ever implement a non-secure login system just to get something running, with plans to secure it later. Instead it's something that you need to build into the very foundation of the code. If they're doing it incorrectly, then all the login and user account creation code would need to be completely rewritten from scratch; there would be no point to having any sort of temporary login system. This isn't something like a missing feature that needs to be added or a bug that needs to be fixed.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

pubby

  • Minion
  • *****
  • Offline Offline
  • Posts: 548
  • Respect: +1046
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #135 on: June 13, 2015, 10:43:42 am »
+1

If they are really storing my password in plain text, then no amount of improvement or promises will get me to trust them enough to play their game again.
The actual risk is that they're storing passwords on their server, and from what I can tell, we don't know if they are doing this or not. Having them visible in client-side logs is obviously a bug, but it barely seems like a security issue.
Logged

-Stef-

  • 2012 & 2016 DS Champion
  • *
  • Offline Offline
  • Posts: 1574
  • Respect: +4419
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #136 on: June 13, 2015, 10:46:04 am »
+9

People are actually forgetting this is beta. Is it bad? Yes. Will it get better? Yes! It's been out for what, like three days?

It may be out for 3 days for you now, I've been playing with it for about 6 weeks.

At first, there was the complete and utter shock. Why, why, why, why on earth if you get the chance to rewrite something from scratch you copy all the terrible interface decisions from the previous version?

Then there was a group of betatesters and even though there were a lot of small bugs, three things were clearly very frustrating: the animations, the delays while playing, and get the log not on the side. I feel very much ignored with any kind of feedback I gave. Only reports on clear bugs were apparently interesting enough to do something with, and almost none of those got solved either.
Logged
Join the Dominion League!

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #137 on: June 13, 2015, 10:48:03 am »
0

If they are really storing my password in plain text, then no amount of improvement or promises will get me to trust them enough to play their game again.
The actual risk is that they're storing passwords on their server, and from what I can tell, we don't know if they are doing this or not. Having them visible in client-side logs is obviously a bug, but it barely seems like a security issue.

You're right that it does depend on where these logs are; but in any basic login system, that level of code shouldn't have any sort of access to the plain-text password that you type in. If there's any network communication at all, the password needs to be hashed before being sent. Even if there's not any network communication at that level, the password should be hashed at the very first opportunity to do so, as soon as the login event is handled. Before it is sent to any sort of method that would be doing any logging.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

Polk5440

  • Torturer
  • *****
  • Offline Offline
  • Posts: 1708
  • Respect: +1788
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #138 on: June 13, 2015, 10:49:13 am »
+4

I hope everyone is reporting every bug they find on making fun's forum. Screenshots and all. They do no good in this thread.

ESPECIALLY THE SUSPECTED PASSWORD PROBLEM.
Logged

werothegreat

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 8172
  • Shuffle iT Username: werothegreat
  • Let me tell you a secret...
  • Respect: +9625
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #139 on: June 13, 2015, 10:53:03 am »
0

* These people are not Goko.  It took Goko months just to make incremental changes.  It took them over a year to release all the expansions.  MF has consistently made visible improvements each week with each new release, and they have been listening to our suggestions.  I understand your suspicions, Goko burned us all pretty hard, but I think over the past month or so MF have earned our good faith.  So please, offer up suggestions if you have them (that's what a beta process is for), but try not to be antagonistic about it.

I said this on Wednesday, when the FAQ for the beta was released.  This was before I had actually played the open beta and thus realized that not only had they not fixed any of the major bugs we'd said they needed to fix before wide release, even soft, but there are even more bugs.  I'm starting to regret having said this.
Logged
Contrary to popular belief, I do not run the wiki all on my own.  There are plenty of other people who are actively editing.  Go bother them!

Check out this fantasy epic adventure novel I wrote, the Broken Globe!  http://www.amazon.com/Broken-Globe-Tyr-Chronicles-Book-ebook/dp/B00LR1SZAS/

pubby

  • Minion
  • *****
  • Offline Offline
  • Posts: 548
  • Respect: +1046
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #140 on: June 13, 2015, 10:57:46 am »
0

If there's any network communication at all, the password needs to be hashed before being sent. Even if there's not any network communication at that level, the password should be hashed at the very first opportunity to do so, as soon as the login event is handled. Before it is sent to any sort of method that would be doing any logging.
I'm not a security expert or anything, but isn't hashing client-side completely pointless? Ideally you would send the password over SSL in plaintext and the server hashes it.
Logged

SCSN

  • Mountebank
  • *****
  • Offline Offline
  • Posts: 2227
  • Respect: +7140
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #141 on: June 13, 2015, 11:01:11 am »
+4

I can confirm that the password is written in the log in plain text:

Quote
WebSocketConnector: Starting receiving controller messages
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

Autologin method: login
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"SheCantSayNo", "password":"#GokoWasBetter"}
Logged

DG

  • Governor
  • *****
  • Offline Offline
  • Posts: 4074
  • Respect: +2624
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #142 on: June 13, 2015, 11:01:21 am »
+9

Logged

SCSN

  • Mountebank
  • *****
  • Offline Offline
  • Posts: 2227
  • Respect: +7140
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #143 on: June 13, 2015, 11:02:15 am »
+1

I hope everyone is reporting every bug they find on making fun's forum. Screenshots and all. They do no good in this thread.

They do no good there either.
Logged

Seprix

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 5607
  • Respect: +3676
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #144 on: June 13, 2015, 11:02:46 am »
0

http://forum.makingfun.com/showthread.php?6931-We-haven-t-forgotten-you!&p=35310#post35310

I'll be willing to ride this one out and wait before denouncing anything, even if the closed beta didn't do anything.

I mean, we can't play Dominion anywhere else.
Logged
DM me for ideas on a new article, either here or on Discord (I check Discord way more often)

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #145 on: June 13, 2015, 11:05:42 am »
0

I can confirm that the password is written in the log in plain text:

Quote
WebSocketConnector: Starting receiving controller messages
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

Autologin method: login
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"SheCantSayNo", "password":"#GokoWasBetter"}

Where is this log?
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

werothegreat

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 8172
  • Shuffle iT Username: werothegreat
  • Let me tell you a secret...
  • Respect: +9625
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #146 on: June 13, 2015, 11:06:48 am »
+3

Just posted this:

http://forum.makingfun.com/showthread.php?6939-Fix-this-now&p=35345#post35345

Quote
The following post is going to come off rather harsh, but I hope it moves MF to actually do something.

Now I understand that, since most of the more competitive Dominion players have already bought all the expansions and thus aren't going to be giving you any more money under the current model, we are your core demographic. We are the ones who recommend Dominion Online to our friends. We are the ones who livestream games. We are the ones who post YouTube videos. We are the ones who give your product any sort of visibility. And after the debacle that was Goko, we're running short on both patience and optimism.

You may have noticed throughout the closed beta that a lot of the invited testers just would not give feedback. That's because there were problems with the build that, for them, were so egregious that they had no desire to even play until you fixed them. But you haven't. And you released a product, even a beta product, even on a soft release, that is not only not feature complete, but bugged to all hell.

And perhaps the biggest problem, and why we all get so pissed off, is that it doesn't seem like you're listening to us. You're so concerned with superfluous things - the animations, the campaigns - none of that matters if the game itself is not playable.

So, I can't really speak for the rest of the the competitive Dominion players, but I can pretty much guarantee that you will have a lot fewer players until the following things are addressed, in order of priority:

* Fix the plain-text password issue.
* Fix the deck counter bug.
* Fix the askew text.
* Fix whatever the hell is causing a card game program to take up so much CPU usage and cause everything to overheat and lag.
* Fix the animations so they don't block Action/Buy/Coin numbers - this is one of the first things we told you!!!
* Fix animation speeds.

Absolutely anything else - be it a simple bug, or the campaigns, or whatever else, can wait. Again, I can't speak for everyone else, but until these things are fixed, I personally will not be playing 2.0. I hope I have your attention.
Logged
Contrary to popular belief, I do not run the wiki all on my own.  There are plenty of other people who are actively editing.  Go bother them!

Check out this fantasy epic adventure novel I wrote, the Broken Globe!  http://www.amazon.com/Broken-Globe-Tyr-Chronicles-Book-ebook/dp/B00LR1SZAS/

Rabid

  • Jester
  • *****
  • Offline Offline
  • Posts: 840
  • Shuffle iT Username: Rabid
  • Respect: +643
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #147 on: June 13, 2015, 11:07:17 am »
0

http://forum.dominionstrategy.com/index.php?topic=4136.msg89329#msg89329

Has anyone tested the new app for "Unescaped Javascript"?
Or would this only show up once they launch the new browser version?
Logged
Twitch
1 Day Cup #1:Ednever

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 9701
  • Respect: +10741
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #148 on: June 13, 2015, 11:13:05 am »
+2

If there's any network communication at all, the password needs to be hashed before being sent. Even if there's not any network communication at that level, the password should be hashed at the very first opportunity to do so, as soon as the login event is handled. Before it is sent to any sort of method that would be doing any logging.
I'm not a security expert or anything, but isn't hashing client-side completely pointless? Ideally you would send the password over SSL in plaintext and the server hashes it.

I wouldn't call myself a security expert, but I have spent several years writing applications requiring a login system professionally. You're right that in a web site, it would be the server that hashes the password, not the client. The important thing is that it would be hashed immediately, before it is sent to any other methods that would be doing logging or anything like that.

Now I don't know anything about Unity, but from what I can tell this looks like your basic Windows application. To make a parallel to a web site, I would consider the "client" side to be the front-end; where you see the window and type in your password, etc. And I would consider the "server" side to be the code behind that handles events such as clicking "login". I know it's all running on your local computer, but if you want to think of it like a secure website, then the part that handles events would be the server, and that's where it should be hashed. I assume that as part of handling the event, it calls some web service to authenticate the user. And it would just make sense to hash the password before sending it to that web service.

I admit that I have far more knowledge about web applications than Windows applications, so it's possible that I'm mistaken. And again, it all depends on where this "log" actually is.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

SCSN

  • Mountebank
  • *****
  • Offline Offline
  • Posts: 2227
  • Respect: +7140
    • View Profile
Re: Dominion Online Open Beta coming up shortly!
« Reply #149 on: June 13, 2015, 11:16:09 am »
0

I can confirm that the password is written in the log in plain text:

Quote
WebSocketConnector: Starting receiving controller messages
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

Autologin method: login
 
(Filename: C:/buildslave/unity/build/artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)

LogWeb: Send Controller: {"message":"login", "clientVersion":"2.0.29", "name":"SheCantSayNo", "password":"#GokoWasBetter"}

Where is this log?

C:\Program Files (x86)\Dominion\Dominion_Data\output_log.txt

If it doesn't show up for everyone, it could be that it only shows if you have the "remember my password" and/or auto-login functionality enabled.
Logged
Pages: 1 ... 4 5 [6] 7 8 ... 14  All
 

Page created in 0.055 seconds with 20 queries.