Forum

Poll

Favourite Reignited Game?
View Results
darkSpyro - Spyro and Skylanders Forum > Site Help and Suggestions > Petition for dark52 to set this site up with HTTPS
Page 1 of 1
Petition for dark52 to set this site up with HTTPS
Pixilism Emerald Sparx Gems: 4412
#1 Posted: 03:46:35 07/12/2018 | Topic Creator
THIS TOPIC HAS A LOT OF READING, BUT PLEASE READ THE WHOLE THING AS IT PERTAINS TO THE SECURITY OF THIS WEBSITE!!!

So I was reading through this section and found a link another user posted to a topic of theirs talking about how this site should be HTTPS compatible. The topic is here if you are curious.

But the topic I think was closed for the notion of potential fear mongering. While I understand that that can be perceived as fear mongering, please let me explain a bit about HTTPS in this topic and why it may be beneficial to the website and the security of its users.

I'm currently a student taking classes and listening to lectures about cyber security and hacking as a career interest and in the literal first section it talks about the difference in HTTP and HTTPS and why HTTP is so insecure in comparison. I'm not too far into my hacking learning adventure, so I don't know very much at all about the subject, but I do have at least a basic understanding on how this works, and I'll share details on the difference in the best way I know how.

When you enter information on a website and click the button to proceed, it sends the information from your computer or other device, to the internet, and then to DarkSpyro's server. It's kind of like sending a written letter to a recipient.

So for this example, we'll use username and password verification in this topic. When you type in your username and password to login, even if it gets auto-filled by your web browser, when you click the login button it will send your username and your password to the internet on a route to the DarkSpyro website server. Since DarkSpyro is not HTTPS, but instead HTTP, it sends it nearly identically like you typed your username and password in a text file and sent it in a file transfer.

So it looks something like this with HTTP.

Computer/mobile with plain text file clearly stating your username and password -------------> Internet -----------------> DarkSpyro website.

Now let's say there's a hacker intercepting your connection for a Man in the Middle Attack (MITM Attack for short). A hacker can intercept information sent at any point in between you and the internet, and the internet and the website. I haven't learned enough to know how easy it is to actually become the man in the middle, but I imagine it can sometimes be pretty easy. The hacker can then read all the information you sent to the website, which would include your username and password like it were in plain text in a .txt document. That's a bit scary, huh? Now imagine using the same password for everything. If a hacker intercepts your password on an HTTP site, they now have your password for everything.

Now let's think about if the website were in HTTPS. It works pretty much the same way as HTTP does, except it encrypts everything it will send between you and the website. What this means is it scrambles the information with a key, and then sends the information.

Now, this does NOT prevent hackers from intercepting the data packets/files. However, it does make it a lot harder for them to pick out your password. Why? Because it is all scrambled, and only your computer and the website knows how to crack it. The website can still verify your username and password, but any hacker in between cannot.

So before sending your information to the server through the internet, it will perform an encryption similar to THIS before sending it. If a hacker were to receive the file after the encryption process, they will only be able to see the text in the bottom box of that picture, and have no idea how to decrypt it into the login details. However once it reaches the server, the server will know how because of a complicated method of the computer/website communicating how to decrypt the message, effectively leaving the hacker in the dust.

So I hope that that helped develop and understanding on how this sort of thing works. HTTPS adds a massive layer of security to a website that cannot be understated.

If there's more experienced people out there that want to correct me on something, feel free to. I'm a beginner to cyber security and I hardly know anything as of yet.

Now I know what some of you might be thinking, allow me to touch on something really quick.

  • Turning on HTTPS isn't as simple as flicking a switch. There is work involved!
  • I'm fully aware, but to sacrifice the security of the user-base with a site that isn't using HTTPS in 2018 because it's "too much work" is unfathomable. The site isn't secure using HTTP, and while hacking attacks targetted on this forum might happen extremely rarely, I think it may be better safe than sorry.


    Here's my suggestion in the mean time, especially if you use the same password for everything like I used to.
    Stop using the same password for everything. If you really want to keep using the same password for everything, no one will stop you, but at least stop using that password for any site that uses HTTP. If you use different passwords for HTTP sites, and you get MITM'd logging into said HTTP site and your password gets revealed to the MITM, your other websites will be safe as it will be a different password that they got. If you want to go one step further into password security, use apps such as Google Chrome's built in password generator/password memorizing, or use an add-on such as LastPass. Both of these are excellent ways of keeping your information secure, they can generate passwords that are realistically impossible to guess, as well as save them so that you don't have to memorize them. Here's a generated password I just made as an example using LastPass.

    That is all I wanted to talk about today, thank you for at least hearing me out. Please excuse my unorganized post, I couldn't be bothered to properly format it. If you have questions please post and I will try my best to remember to come back here and answer them.
    ---
    licc
    Edited 4 times - Last edited at 21:59:16 11/12/2018 by Pixilism
    Bifrost Platinum Sparx [online] Gems: 6063
    #2 Posted: 03:51:29 07/12/2018
    This has been mentioned before, but yes please.
    ---
    I do art!
    "Dark Sun, you shone like a threat, waiting to strike"
    UncleBob Emerald Sparx Gems: 4528
    #3 Posted: 23:59:41 10/12/2018
    Thanks for bringing this up again.

    With no snark intended, it really is a big deal and was very poorly handled last time - hopefully, y'all have more luck this time around.
    ---
    "When you tear out a man's tongue, you are not proving him a liar, you're only telling the world that you fear what he might say."
    UncleBob Emerald Sparx Gems: 4528
    #4 Posted: 09:28:38 12/12/2018
    I didn't have much time to reply the other day, bust something I touched on in the last thread that wasn't covered in the OP - and why this is a big deal...

    Without encryption, someone can MITM attack you/this website. Essentially, they copy this website, then trick your computer (phone/tablet/whatever) into connecting to them instead. Now, because there's no encryption, this copied website not only acts just like the original, but what you send to it can be forwarded to the original. So you could post something to the fake site, then everyone on the real site sees it, replies like normal, and you'd see their replies - never knowing you're on the fake site.

    Then, the fake site can be programmed to use various back door hacks and scripts to trick your computer into infecting itself. That "Post Reply" button secretly becomes a "Post Reply and Install" button.

    And this isn't a simple matter of having an anti-virus installed - but even if it were, which one do you have installed? Do you have the one that's updated for a particular virus? A particular malware? Any one of the thousands of known possible attack vectors on your system? Is it updated for the unknown attack vectors? (No, it isn't... otherwise, they wouldn't be unknown.) How many of you even *have* some kind of anti-malware scanner on your phone? Are you one of those folks who thinks Apple products are safe from attacks? (PROTip: they're not.)

    Once your PC/Tablet/Phone is infected, a potential attacker could have access to everything your device is used for. Everything your device connects to. Your social media. Your bank accounts. Your shopping accounts. Your credit cards. Parents, siblings, spouses use your computer? Their information is at risk as well.

    This isn't chicken little screaming that the sky is falling - there are a multitude of real-life examples, anywhere from major corporations and governments to small time websites.

    In addition to using unique passwords for each site (always good advice no one follows... if you're bad at remembering, add something unique to each website. Like, say you want to use the password "Spyr0_the_drag0n" on all websites. Here, use "Spyr0_the_drag0n_ds". On Facebook, use "Spyr0_the_drag0n_fb" Gmail? "Spyr0_the_drag0n_gm". It isn't going to stop a dedicated person (although. instead of the initials of the site, use something you, personally, think of when you go to the site. Like, darkSpyro.... Dark52. 52. "Spyr0_the_drag0n_52"), but it will stop automated scripts from flagging all your other accounts as "Open for business!" This isn't as good as truly unique passwords for every site, but for most people, that's just not going to happen... so try this!), make sure you have up to date anti-virus, malware scanners, and blockers in place to kill ads and trackers. I won't name any specifically, as I urge you to research this and make your own decisions on your own device's security.
    ---
    "When you tear out a man's tongue, you are not proving him a liar, you're only telling the world that you fear what he might say."
    Page 1 of 1

    Please login or register a forum account to post a message.

    Username Password Remember Me