Dominion Strategy Forum

Please login or register.

Login with username, password and session length
Pages: [1]

Author Topic: The forum isn't protected by HTTPS  (Read 691 times)

0 Members and 1 Guest are viewing this topic.

magnetic

  • Herbalist
  • **
  • Offline Offline
  • Posts: 5
  • Shuffle iT Username: magnetik
  • Respect: +12
    • View Profile
The forum isn't protected by HTTPS
« on: June 04, 2018, 02:09:24 pm »
+8

The forum isn't protected by HTTPS. This means if we login to the forum on a shared WiFi connection, someone can steal our session and impersonate us. Given that pseudo-offical rulemaking is done on this forum, I think it's a serious issue.

With free (even wildcard) certificates from letsencrypt.org, there's not much of a burden to securing a domain like this these days.

If you need any assistance, give me a PM.
« Last Edit: June 04, 2018, 02:25:28 pm by magnetic »
Logged

gkrieg13

  • Minion
  • *****
  • Offline Offline
  • Posts: 503
  • Shuffle iT Username: gkrieg
  • Respect: +461
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #1 on: June 04, 2018, 02:55:57 pm »
+3

But how do we know that you are magnetic right now?
Logged

magnetic

  • Herbalist
  • **
  • Offline Offline
  • Posts: 5
  • Shuffle iT Username: magnetik
  • Respect: +12
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #2 on: June 04, 2018, 03:25:51 pm »
+1

Even if I posted this anonymously the report is still true.  ;)
Logged

Chris is me

  • Mountebank
  • *****
  • Offline Offline
  • Posts: 2458
  • Shuffle iT Username: Chris is me
  • What do you want me to say?
  • Respect: +3028
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #3 on: June 04, 2018, 11:25:02 pm »
+2

I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?

Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.
Logged
Twitch channel: http://www.twitch.tv/chrisisme2791

bug me on discord

they/them

faust

  • Torturer
  • *****
  • Offline Offline
  • Posts: 1967
  • Shuffle iT Username: faust
  • Respect: +2751
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #4 on: June 05, 2018, 05:23:05 am »
+9

I mean... is anything we do here really that important?
Is anything we do really that important?
Logged
Since the number of points is within a constant factor of the number of city quarters, in the long run we can get (4 - ε) ↑↑ n points in n turns for any ε > 0.

ThetaSigma12

  • Torturer
  • *****
  • Offline Offline
  • Posts: 1516
  • Shuffle iT Username: ThetaSigma12
  • Respect: +1575
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #5 on: June 05, 2018, 09:28:05 am »
+2

I mean... is anything we do here really that important?
Is anything we do really that important?
Is anything we do really that important?
Logged
If you have a fan card you want to be created, just post about it here! I'd love to take a look at it.

GendoIkari

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 6817
  • Respect: +7660
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #6 on: June 05, 2018, 09:29:14 am »
+5

I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?

Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.

Although password reuse is frowned upon; I'm pretty sure a lot of people still do it. Meaning that if someone's F.DS password is stolen, then that could cause lots of other issues for a person as well.
Logged
Check out my F.DS extension for Chrome! Card links; Dominion icons, and maybe more! http://forum.dominionstrategy.com/index.php?topic=13363.0

Thread for Firefox version:
http://forum.dominionstrategy.com/index.php?topic=16305.0

markusin

  • Cartographer
  • *****
  • Offline Offline
  • Posts: 3595
  • Shuffle iT Username: markusin
  • I also switched from Starcraft
  • Respect: +2170
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #7 on: June 05, 2018, 03:37:43 pm »
0

I mean... is anything we do here really that important? We’re playing a card game. Who cares about the extremely unlikely event that someone steals somebody’s log in in order to... impersonate them here? Which would be really quickly obvious and dealt with?

Plenty of other reasons to use https (mainly for people not smart enough to use multiple passwords for things) but I mean I wouldn’t say it’s particularly urgent.

Although password reuse is frowned upon; I'm pretty sure a lot of people still do it. Meaning that if someone's F.DS password is stolen, then that could cause lots of other issues for a person as well.

I think the modern recommendation is to use a password manager tool.
Logged

Chris is me

  • Mountebank
  • *****
  • Offline Offline
  • Posts: 2458
  • Shuffle iT Username: Chris is me
  • What do you want me to say?
  • Respect: +3028
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #8 on: June 05, 2018, 04:24:24 pm »
0

I agree that because of password sharing etc there’s plenty of reason to go to HTTPS when convenient; all I am saying is that the OP’s concerns of someone getting onto the personal WiFi of a prominent FDS user and impersonating them in order to fabricate official rulings is pretty far fetched.
Logged
Twitch channel: http://www.twitch.tv/chrisisme2791

bug me on discord

they/them

Donald X.

  • Dominion Designer
  • *****
  • Offline Offline
  • Posts: 4803
  • Respect: +19563
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #9 on: June 05, 2018, 04:55:29 pm »
+13

I agree that because of password sharing etc there’s plenty of reason to go to HTTPS when convenient; all I am saying is that the OP’s concerns of someone getting onto the personal WiFi of a prominent FDS user and impersonating them in order to fabricate official rulings is pretty far fetched.
The real Chris is me would never say that.
Logged

sitnaltax

  • Apprentice
  • *****
  • Offline Offline
  • Posts: 267
  • Respect: +463
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #10 on: June 05, 2018, 07:29:21 pm »
0

FWIW I use DreamHost for my hosting and they have a service where, for free and at the press of a button, they'll get, deploy, and auto-renew Let's Encrypt certificates for you. The f.ds host might have a similar service.
Logged

Kirian

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 7044
  • Shuffle iT Username: Kirian
  • An Unbalanced Equation
  • Respect: +9263
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #11 on: June 05, 2018, 08:27:39 pm »
0

I mean... is anything we do here really that important?
Is anything we do really that important?
Is anything we do really that important?
Is anything we do really that important?
Logged
Kirian's Law of f.DS jokes:  Any sufficiently unexplained joke is indistinguishable from serious conversation.

Mic Qsenoch

  • 2015 DS Champion
  • *
  • Offline Offline
  • Posts: 1649
  • Respect: +4168
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #12 on: June 05, 2018, 08:45:04 pm »
+6

Are any of these posts actually funny?
Logged

Awaclus

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 10572
  • Shuffle iT Username: Awaclus
  • (´。• ω •。`)
  • Respect: +10994
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #13 on: June 05, 2018, 08:47:56 pm »
+3

Are any of these posts actually funny?

Are any of these posts actually funny?
Logged
Bomb, Cannon, and many of the Gunpowder cards can strongly effect gameplay, particularly in a destructive way

The Twitch channel where I stream DominionThe YouTube channel where I make musicDownload my band's albums for free

Kirian

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 7044
  • Shuffle iT Username: Kirian
  • An Unbalanced Equation
  • Respect: +9263
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #14 on: June 06, 2018, 01:26:42 pm »
+2

Are any of these posts actually funny?

Are any of these posts actually funny?

Are any of these posts actually funny?
Logged
Kirian's Law of f.DS jokes:  Any sufficiently unexplained joke is indistinguishable from serious conversation.

ObtusePunubiris

  • Thief
  • ****
  • Offline Offline
  • Posts: 93
  • Respect: +148
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #15 on: June 06, 2018, 01:59:12 pm »
0

Is it important that anything we really post is actually that funny?
Logged

LastFootnote

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 6846
  • Shuffle iT Username: LastFootnote
  • Respect: +9368
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #16 on: June 06, 2018, 03:19:24 pm »
0

Are any of these posts actually funny?

I laughed. So, probably?
Logged

magnetic

  • Herbalist
  • **
  • Offline Offline
  • Posts: 5
  • Shuffle iT Username: magnetik
  • Respect: +12
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #17 on: June 07, 2018, 04:47:56 pm »
+2

I'll agree that my initial reasoning was a bit out there.

Protecting shared passwords is a much better reason. You may notice that SMF only sends them over the wire after hashing them, but without the opportunity for a salt, so a rainbow table attack on these password is still possible.
Logged

Awaclus

  • Adventurer
  • ******
  • Offline Offline
  • Posts: 10572
  • Shuffle iT Username: Awaclus
  • (´。• ω •。`)
  • Respect: +10994
    • View Profile
Re: The forum isn't protected by HTTPS
« Reply #18 on: June 07, 2018, 09:16:09 pm »
+5

Well, there are more issues than that. For one, if you're able to log in as me, you're able to see all the private messages that I ever received or sent, which could be pretty damn uncomfortable for someone if there was anything confidential in there (there isn't because I just checked and deleted everything of the sort). You're also able to gain access to all the forums that I can access, which is not particularly impressive because I don't have any special privileges to see any more forums than any other regular user, but certain people (e.g. armchair treasure hunters) do have such privileges and if confidential things are being discussed on those forums, that could be very serious as well. You're also able to see my ignore list, which is definitely going to be at least a little uncomfortable for me, although nothing too serious. You're also able to see my forum settings, which you're not really supposed to see, but I can't imagine a plausible scenario where this causes any problems even if there's a breach.

The shared passwords concern is also very real.

Of course, none of this is a problem if people act responsibly on the Internet, but it's still important to maintain security at multiple layers because something is always going to go wrong, especially when people acting responsibly is supposed to be a part of the plan.
Logged
Bomb, Cannon, and many of the Gunpowder cards can strongly effect gameplay, particularly in a destructive way

The Twitch channel where I stream DominionThe YouTube channel where I make musicDownload my band's albums for free
Pages: [1]
 

Page created in 0.084 seconds with 22 queries.