MMO-Champ security

**InventiveMeasures** · 2017-10-11, 02:27 PM

Is there a reason why this site still has no SSL certificate? It's been 10 years, guys... Personally, I used a junk email to create an account but I'm sure others haven't and don't want their passwords and email addresses exposed.

I understand it's under Curse but Curse has been acquired by Twitch which in turn was bought by Amazon. It's completely reasonable to contact them and arrange for it to get fixed a.s.a.p.

**the game** · 2017-10-11, 02:29 PM

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

**InventiveMeasures** · 2017-10-11, 02:33 PM

Originally Posted by the game

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

Wow.. that's wild and really unfortunate. Guess that's why wowhead also doesn't have one.

**Ghostpanther** · 2017-10-11, 02:33 PM

Originally Posted by the game

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

I do not see the adds. And I am not using a add blocker. But I do use Firefox web browser and have Flashplayer disabled. I can enable it when needed by a simple one click.

**unbound** · 2017-10-11, 02:34 PM

Originally Posted by the game

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

lol...that hasn't been a problem for many years. That is, it isn't a problem if you are using reputable advertisers. Hmmmm.....

**the game** · 2017-10-11, 02:35 PM

Originally Posted by unbound

lol...that hasn't been a problem for many years. That is, it isn't a problem if you are using reputable advertisers. Hmmmm.....

Here's the confirmation about it.

http://www.mmo-champion.com/threads/...1#post45926607

**isuridedes** · 2017-10-11, 02:40 PM

There are a couple of reasons I can think of. Neither are particular "Okay this is a solid, bulletproof argument" but they are pretty reasonable.

(1) If an SSL website pulls resources from a non-SSL address a browser-level security alert is triggered warning the user. For the technically-deficient user this could terrify them off the site. That affects MMOCs bottom line.

(2) MMOC was created during a time when maintaining an SSL license was quite costly. While those costs have lowered to virtually zero today... it's still a bit of work to enact the changeover. Old links need to be re-routed either through a plugin or through an .htaccess redirect.

(3) Aside from satiating the security desires of a niche group of users, the work involved provides zero benefit to MMOC. They are not a banking service, they do not store any sort of sensitive data that would legally require that they use an SSL service. Enabling SSL will not result in more users flocking to the site, or better ad revenue or in any way make the site more valuable than it already is. One might argue that the reverse is also true; it will not be LESS valuable with SSL enabled; but again... that requires work and there is no benefit for completing said work.

... for any NEW web project I would always recommend SSL regardless of the project scope or the data you store. It's practically free, it adds a sense of security to your users, and it's easier to handle from the beginning than it is to just retrofit it after-the-fact. But for existing sites? I'm sorry but the data MMOC stores about you is pretty... useless. Unless you're using the same e-mail/pass on MMOC that you use to manage your bank account that data isn't going to be very useful to any hacker.

And if it is... well that's not MMOCs fault.

**cuafpr** · 2017-10-11, 02:41 PM

that's funny and sad about the adds... but yeah MMO-C is so bad with ads they went back on my black list.... though wowhead is worse.

**InventiveMeasures** · 2017-10-11, 02:45 PM

Originally Posted by the game

Here's the confirmation about it.

http://www.mmo-champion.com/threads/...1#post45926607

Thanks for the link. I think that excuse is weak though. They can use Amazon affiliate links, Patreon, maybe even a donate option with a progress bar on how much is needed per month to support the site.

**unbound** · 2017-10-11, 02:46 PM

Originally Posted by the game

Here's the confirmation about it.

http://www.mmo-champion.com/threads/...1#post45926607

Oh, I don't doubt they've claimed as much. But, don't take my word for it, just go to another site. Reddit uses SSL, and, yep, there is advertising there. Hmm, ars technica...SSL and advertising. And so on, and so on, and so on....

**Paula Deen** · 2017-10-11, 02:47 PM

Originally Posted by the game

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

Then the big heads come in here

"If you just report the bad ads..."

How about ye feck off ye skeevers? I will just block em all. Its a shame if you got better security and less intrusive ads I may actually support the site.

**Doctor Amadeus** · 2017-10-11, 02:48 PM

Well I have to say I like the Ice Silk briefs. I might buy some because I like name Ice Briefs.

**Beazy** · 2017-10-11, 02:50 PM

SSL/https certs encrypt data in transit, so if a hacker gains access to the servers database, an SSL cert means jack shit. There is no reason to hijack transit data on MMOC because we arent throwing around PII protected financial info or personal info.

Deleted · 2017-10-11, 03:01 PM

Originally Posted by the game

The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.

Should allow ssl for people with adblock

.

**InventiveMeasures** · 2017-10-11, 03:41 PM

What does banking information have to do with the original post? Emails and passwords were the only things mentioned. The argument that because it's not sensitive information then it's meaningless is silly. Every website I've created an account for has a different password and/or email and it would seem like common sense to not share passwords for multiple sites but you'd be surprised how many people actually do that.

**lockblock** · 2017-10-11, 03:47 PM

The credential issue is really the problem of those who choose not to make alternate addresses and or use the same credentials for every site.
Now if this site was collecting payments from us I would totally agree that we should be up in arms and demand TLS/SSL.

Originally Posted by the game

Apparently intrusive ads are more important than customer user security.

MMO-C isn't a paid service and fixed that for you.

**isuridedes** · 2017-10-11, 03:48 PM

Originally Posted by Synthaxx

If they do match, the server tells your browser to set a cookie - this cookie contains a session ID

Oh man don't do this! This isn't standard practice anymore because session hijacking is a pretty legitimate security concern. These days it's a bit more robust with unique token generation and encrypting the cookie data, etc, etc.

Not that any of that has anything to do with SSL. As you already noted SSL is really only about preventing man in the middle attacks.

Looking at my MMOC cookie it looks like they store a variety of data in a pretty terrifying fashion:

User ID, unencrypted
Session ID, encrypted
Password, encrypted

And then a bunch of irrelevant forum information (last visit, last activity, etc).

And oh my god their encryption on the cookie looks like it's MD5...

**Beazy** · 2017-10-11, 04:08 PM

Originally Posted by InventiveMeasures

What does banking information have to do with the original post? Emails and passwords were the only things mentioned. The argument that because it's not sensitive information then it's meaningless is silly. Every website I've created an account for has a different password and/or email and it would seem like common sense to not share passwords for multiple sites but you'd be surprised how many people actually do that.

Because you are worried about data at rest not in transit. SSL is for information in transit. Emails and passwords are saved and encrypted in databases and cookies at rest. If a hacker has access to your database, there is a much bigger problem that has nothing to do with SSL certificates. No one is going to maninthemiddle attack MMOC users for our info ~ because the hacker could just sign up for their own account and post here.

**Aeula** · 2017-10-11, 05:58 PM

They're too obsessed with getting that dodgy ad revenue.

**chaud** · 2017-10-11, 07:06 PM

The answer here hasn't changed: http://www.mmo-champion.com/threads/...1#post45926607

It is 100% something we want to do and on the roadmap, we just aren't quite there yet. Our goal is to have it done by sometime next year.

Recent Blue Posts

Hotfixes: April 16, 2024

Season of Discovery Hotfixes - April 16

Season of Discovery Hotfixes - 16 April

Healer Adjustments in Season 4

Healer Adjustments in Season 4

M+ Dreaming Hero Title -- Updated April 16

M+ Dreaming Hero Title -- Updated 16 April

Recent Forum Posts

May be stop wasting resoures on experiments?

Dragonflight and Season of Discovery Hotfixes - April 16, 2024

Dragonflight Season 4 - Healer Adjustments

Sign Up To Test The War Within

After 10 years, it is time to settle this once and for all!

Mythic+ Dreaming Hero Title for NA and EU Regions - April 16, 2024

Rank the Dragonflight Dungeons (beyond knee-jerk reactions)

Thread: MMO-Champ security

Thread Tools

MMO-Champ security

Posting Permissions

Social Media

Services

Resources

Our Communities

MOBAFire Network