Why no security?

Discussion in 'General Archive' started by totallyfresh, Apr 22, 2014.

Dear forum reader,

if you’d like to actively participate on the forum by joining discussions or starting your own threads or topics, please log into the game first. If you do not have a game account, you will need to register for one. We look forward to your next visit! CLICK HERE
?

Are you concerned by a lack of game security?

Poll closed Apr 29, 2014.

  1. Yes, I am concerned!

    2 vote(s)
    100.0%

  2. No, I don't care!

    0 vote(s)
    0.0%

  3. Bananas!

    0 vote(s)
    0.0%
Thread Status:
Not open for further replies.
  1. totallyfresh

    totallyfresh Forum Greenhorn

    • Inappropriate Advertising
    There seems to be BAD security for the forum/game login. Why is this?
    BigPoint, Y U NO TLS properly?

    We've been using HTTPS/TLS for games for the past several years. Considering recent major vulnerabilities and wide-scale spying/exploitation of games by government entities, it might be useful to provide even a minimal amount of security to your players. AES-128bit security is the baseline standard for forums and games.

    I find it amusing/surprising that the 'recover password' pages are secured, but the ones to register an account, login to account, and login to the forum are NOT properly secured.

    So you have new forums, time to secure them properly!
    My request is to ask your website/forum coders to have a separate 'secure login' link that will let me login on the actual bpsecure.com domain rather than doing it from the front page.

    EDIT: After analyzing the login a bit more closely, it seems to route the login through bpsecure.com (which is secured). Unfortunately neither the website nor the forum support secure HTTP renegotiation so it is trivial for someone on public wifi to hijack the account.

    So players, change your passwords often and don't play this game on any unsecured (open) wifi networks. This won't protect you (at all) if hackers decide they want to mess things up here, but at least it will mitigate your risks a tiny bit.

    FYI, preventing Qualsys SSL to gather basic server security info only makes you more vulnerable to exploitation, not less. You might consider unblocking them if you care at all about security.

    **Workaround for Insecure Password Creation/Logins**

    EDIT

    So if you change your password often enough, you should hopefully be able to avoid the worst of compromises. Now here's hoping that the passwords that BigPoint stores are actually hashed & salted properly instead of being stored in cleartext.

    I know the no-double-post rule. This post was enough of an 'edit' and important enough to distinguish from the earlier post. I don't plan to double-post much (if at all) after this.

    So can I get any confirmation from mods/devs on what type of forum/website/game security is used? TLS version? Cipher type/strength?
    TALK TECHIE TO ME! =D
     
    Last edited by moderator: Apr 24, 2014
    totallyfresh, Apr 22, 2014
    #1
  2. Mal3ficent

    Mal3ficent Guest

    @totallyfresh , of course you can't. :)
     
    Mal3ficent, Apr 24, 2014
    #2
  3. Callisto

    Callisto Forum Pro

    The forum login system was designed with security at mind.
     
    Callisto, Apr 24, 2014
    #3
Thread Status:
Not open for further replies.