Page 1 of 2
1
2
LastLast
  1. #1

    MMO-Champ security

    Is there a reason why this site still has no SSL certificate? It's been 10 years, guys... Personally, I used a junk email to create an account but I'm sure others haven't and don't want their passwords and email addresses exposed.

    I understand it's under Curse but Curse has been acquired by Twitch which in turn was bought by Amazon. It's completely reasonable to contact them and arrange for it to get fixed a.s.a.p.

  2. #2
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    The King took his head.

  3. #3

  4. #4
    Quote Originally Posted by the game View Post
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    Wow.. that's wild and really unfortunate. Guess that's why wowhead also doesn't have one.

  5. #5
    Quote Originally Posted by the game View Post
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    I do not see the adds. And I am not using a add blocker. But I do use Firefox web browser and have Flashplayer disabled. I can enable it when needed by a simple one click.

  6. #6
    Quote Originally Posted by the game View Post
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    lol...that hasn't been a problem for many years. That is, it isn't a problem if you are using reputable advertisers. Hmmmm.....

  7. #7
    Quote Originally Posted by unbound View Post
    lol...that hasn't been a problem for many years. That is, it isn't a problem if you are using reputable advertisers. Hmmmm.....
    Here's the confirmation about it.

    http://www.mmo-champion.com/threads/...1#post45926607
    The King took his head.

  8. #8
    There are a couple of reasons I can think of. Neither are particular "Okay this is a solid, bulletproof argument" but they are pretty reasonable.

    (1) If an SSL website pulls resources from a non-SSL address a browser-level security alert is triggered warning the user. For the technically-deficient user this could terrify them off the site. That affects MMOCs bottom line.

    (2) MMOC was created during a time when maintaining an SSL license was quite costly. While those costs have lowered to virtually zero today... it's still a bit of work to enact the changeover. Old links need to be re-routed either through a plugin or through an .htaccess redirect.

    (3) Aside from satiating the security desires of a niche group of users, the work involved provides zero benefit to MMOC. They are not a banking service, they do not store any sort of sensitive data that would legally require that they use an SSL service. Enabling SSL will not result in more users flocking to the site, or better ad revenue or in any way make the site more valuable than it already is. One might argue that the reverse is also true; it will not be LESS valuable with SSL enabled; but again... that requires work and there is no benefit for completing said work.

    ... for any NEW web project I would always recommend SSL regardless of the project scope or the data you store. It's practically free, it adds a sense of security to your users, and it's easier to handle from the beginning than it is to just retrofit it after-the-fact. But for existing sites? I'm sorry but the data MMOC stores about you is pretty... useless. Unless you're using the same e-mail/pass on MMOC that you use to manage your bank account that data isn't going to be very useful to any hacker.

    And if it is... well that's not MMOCs fault.

  9. #9
    that's funny and sad about the adds... but yeah MMO-C is so bad with ads they went back on my black list.... though wowhead is worse.
    Member:Legion Alpha, Member since 1/27/2016 | Overwatch Beta Club, Member Since 11/10/2015 | WoD Alpha club, Member since 6/17/14

  10. #10
    Quote Originally Posted by the game View Post
    Thanks for the link. I think that excuse is weak though. They can use Amazon affiliate links, Patreon, maybe even a donate option with a progress bar on how much is needed per month to support the site.

  11. #11
    Quote Originally Posted by the game View Post
    Oh, I don't doubt they've claimed as much. But, don't take my word for it, just go to another site. Reddit uses SSL, and, yep, there is advertising there. Hmm, ars technica...SSL and advertising. And so on, and so on, and so on....

  12. #12
    Immortal Paula Deen's Avatar
    Join Date
    Jul 2013
    Location
    #TeamDragons
    Posts
    7,882
    Quote Originally Posted by the game View Post
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    Then the big heads come in here

    "If you just report the bad ads..."

    How about ye feck off ye skeevers? I will just block em all. Its a shame if you got better security and less intrusive ads I may actually support the site.

  13. #13
    Banned Mall Security's Avatar
    Join Date
    May 2011
    Location
    In Security Watching...
    Posts
    23,725
    Well I have to say I like the Ice Silk briefs. I might buy some because I like name Ice Briefs.

  14. #14
    Legendary! Beazy's Avatar
    Join Date
    Dec 2010
    Location
    Dallas, TX
    Posts
    6,237
    SSL/https certs encrypt data in transit, so if a hacker gains access to the servers database, an SSL cert means jack shit. There is no reason to hijack transit data on MMOC because we arent throwing around PII protected financial info or personal info.

  15. #15
    Scarab Lord tollshot's Avatar
    Join Date
    Dec 2010
    Location
    Auchenshuggle
    Posts
    4,744
    The ability to delete an account (and all related data) would be welcome given mmoc’s lax approach to security.
    I'm truly sorry man's dominion, Has broken nature's social union,
    An' justifies that ill opinion, Which makes thee startle
    At me, thy poor, earth-born companion, An' fellow-mortal!
    To a Mouse, Robert Burns, 1795

  16. #16
    Quote Originally Posted by the game View Post
    The reason that we were given a few months ago is because the terribly intrusive ads that are on the site don't support it. Apparently intrusive ads are more important than customer security.
    Should allow ssl for people with adblock .

  17. #17
    Titan
    Join Date
    Feb 2008
    Location
    Sheffield, UK
    Posts
    13,429
    Quote Originally Posted by isuridedes View Post
    There are a couple of reasons I can think of. Neither are particular "Okay this is a solid, bulletproof argument" but they are pretty reasonable.

    (1) If an SSL website pulls resources from a non-SSL address a browser-level security alert is triggered warning the user. For the technically-deficient user this could terrify them off the site. That affects MMOCs bottom line.

    (2) MMOC was created during a time when maintaining an SSL license was quite costly. While those costs have lowered to virtually zero today... it's still a bit of work to enact the changeover. Old links need to be re-routed either through a plugin or through an .htaccess redirect.

    (3) Aside from satiating the security desires of a niche group of users, the work involved provides zero benefit to MMOC. They are not a banking service, they do not store any sort of sensitive data that would legally require that they use an SSL service. Enabling SSL will not result in more users flocking to the site, or better ad revenue or in any way make the site more valuable than it already is. One might argue that the reverse is also true; it will not be LESS valuable with SSL enabled; but again... that requires work and there is no benefit for completing said work.

    ... for any NEW web project I would always recommend SSL regardless of the project scope or the data you store. It's practically free, it adds a sense of security to your users, and it's easier to handle from the beginning than it is to just retrofit it after-the-fact. But for existing sites? I'm sorry but the data MMOC stores about you is pretty... useless. Unless you're using the same e-mail/pass on MMOC that you use to manage your bank account that data isn't going to be very useful to any hacker.

    And if it is... well that's not MMOCs fault.
    SSL isn't practically free, it's actually free through services such as Let's Encrypt for which plugins and libs are available for most languages to be able to retrieve certificate, key and chain. I use it on my sites but only because it's an option, even though my sites are merely portfolio's and don't have any forms or such that can be submitted.

    I think that people don't understand what SSL actually does. They seem to be under the impression that SSL is a be-all-end-all of security when in actual fact, it's probably the least of the concerns on a site such as this. We're not talking banking or sensitive information so MITM attacks aren't a major concern. Someone gets your details, they can post on a gaming forum... woo-hoo? People seem to have this idea that their email address is exposed because they're visiting the site. Once you're logged in, that's it from what I've seen as sessions seem to have a very long lifetime. Unless someone's watching at the exact moment you login, you're not at risk from anything that SSL would prevent.

    Here's how it works folks (and this is standard practice across the web);

    - You login using username and password
    - The website checks your details
    - If they don't match, you're not allowed in
    - If they do match, the server tells your browser to set a cookie - this cookie contains a session ID
    - When you visit the site again, it checks for this cookie and get's the session ID from it
    - It then knows who is visiting the website and adapts the web page it's displaying to account for that

    The session ID I mentioned is only useful to the server and doesn't contain your username, email, password or any other information. It simply looks up your session ID from the list of session ID's too see which user that session is associated with. Visitors have no way of seeing the session list - the only people that can see it are those who have access to the hosting platform for the website.




  18. #18
    What does banking information have to do with the original post? Emails and passwords were the only things mentioned. The argument that because it's not sensitive information then it's meaningless is silly. Every website I've created an account for has a different password and/or email and it would seem like common sense to not share passwords for multiple sites but you'd be surprised how many people actually do that.

  19. #19
    Epic! lockblock's Avatar
    Join Date
    Nov 2010
    Location
    wisconsin .. I mean greymane
    Posts
    1,598
    The credential issue is really the problem of those who choose not to make alternate addresses and or use the same credentials for every site.
    Now if this site was collecting payments from us I would totally agree that we should be up in arms and demand TLS/SSL.

    Quote Originally Posted by the game View Post
    Apparently intrusive ads are more important than customer user security.
    MMO-C isn't a paid service and fixed that for you.

  20. #20
    Quote Originally Posted by Synthaxx View Post
    If they do match, the server tells your browser to set a cookie - this cookie contains a session ID
    Oh man don't do this! This isn't standard practice anymore because session hijacking is a pretty legitimate security concern. These days it's a bit more robust with unique token generation and encrypting the cookie data, etc, etc.

    Not that any of that has anything to do with SSL. As you already noted SSL is really only about preventing man in the middle attacks.

    Looking at my MMOC cookie it looks like they store a variety of data in a pretty terrifying fashion:

    User ID, unencrypted
    Session ID, encrypted
    Password, encrypted

    And then a bunch of irrelevant forum information (last visit, last activity, etc).

    And oh my god their encryption on the cookie looks like it's MD5...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •