Page 2 of 2 FirstFirst
1
2
  1. #21
    Legendary! Beazy's Avatar
    Join Date
    Dec 2010
    Location
    Dallas, TX
    Posts
    6,350
    Quote Originally Posted by InventiveMeasures View Post
    What does banking information have to do with the original post? Emails and passwords were the only things mentioned. The argument that because it's not sensitive information then it's meaningless is silly. Every website I've created an account for has a different password and/or email and it would seem like common sense to not share passwords for multiple sites but you'd be surprised how many people actually do that.
    Because you are worried about data at rest not in transit. SSL is for information in transit. Emails and passwords are saved and encrypted in databases and cookies at rest. If a hacker has access to your database, there is a much bigger problem that has nothing to do with SSL certificates. No one is going to maninthemiddle attack MMOC users for our info ~ because the hacker could just sign up for their own account and post here.

  2. #22
    Titan
    Join Date
    Feb 2008
    Location
    Sheffield, UK
    Posts
    13,441
    Quote Originally Posted by isuridedes View Post
    Oh man don't do this! This isn't standard practice anymore because session hijacking is a pretty legitimate security concern. These days it's a bit more robust with unique token generation and encrypting the cookie data, etc, etc.

    Not that any of that has anything to do with SSL. As you already noted SSL is really only about preventing man in the middle attacks.

    Looking at my MMOC cookie it looks like they store a variety of data in a pretty terrifying fashion:

    User ID, unencrypted
    Session ID, encrypted
    Password, encrypted

    And then a bunch of irrelevant forum information (last visit, last activity, etc).

    And oh my god their encryption on the cookie looks like it's MD5...
    It was a roundabout explanation for people who might not understand the more in-depth parts. I'm aware that encryption of cookies and tokens are more common, but the end result is similar in that it checks a cookie in the browser against <some field> on the server.

    I've also just looked at the cookies and holy crap, you're right. That's a lot more unnerving than them not having SSL as it makes me wonder if they've done it to cut corners, or because a developer didn't know enough to do security correctly, or if it's simply the platform they're using for the forum. Either way, there's never any acceptable situation to have a password cookie, encrypted/hashed or not.




  3. #23
    Old God Aeula's Avatar
    Join Date
    Nov 2011
    Location
    Silvermoon City, last bastion of the North-Eastern Horde
    Posts
    10,616
    They're too obsessed with getting that dodgy ad revenue.

  4. #24
    The answer here hasn't changed: http://www.mmo-champion.com/threads/...1#post45926607

    It is 100% something we want to do and on the roadmap, we just aren't quite there yet. Our goal is to have it done by sometime next year.
    Last edited by chaud; 2017-10-11 at 07:14 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •