|
fermuch Posts: 1
8/6/2016
|
Hello. I've been trying the beta of Baros of the Galaxy and it's great, but the only thing I feel bad about is the lack of HTTPS support.
I don't like the idea of my passwords going across the internet in plain text, so I'm suggesting to add SSL support.
With LetsEncrypt you can get a free SSL certificate, or even easier you could switch to CloudFlare DNS' and you'll also get some basic DDoS protection (also free).
|
|
|
0
link
|
|
CmrdRowen Posts: 47
8/6/2016
|
fermuch wrote:
I don't like the idea of my passwords going across the internet in plain text
Basic practice with passwords is to hash them before sending it to the server so that's not much a problem. But a packet sniffer would definitely get the http request and get your password in md5 format, not in plain text  and that's if the guy is successful in catch it... And as you cannot directly reverse hashed password to original text, it will be more difficult to get it (not totally impossible, though, but it will certainly take time depending on how complex is your password).
|
|
|
0
link
|
|
Doctor Dread Administrator Posts: 1478
8/6/2016
|
salting a one way hash of your password is what is stored on the server only protects your password if someone takes the database or gets into the machine. It doesn't stop them from logging in as you etc, they have the whole machine BUT even they will not actually be able to see your password and try your username PW combo on other sites. That ts what encrypting it on the server is for.
As fermuchis saying though, that offers no protection from you typing in your login password and hitting login on the webpage, you are SENDING it to the server in plain text where anyone who is sniffing the network can potentially see it. SSL Encryption protects that as it is sent encrypted from your machine tot he server.
SSL is something we plan to incorporate before launch, don't use your Bank of America login for the beta test please =)
|
|
|
0
link
|
|
Chojin Posts: 8
12/29/2016
|
I support this idea too
|
|
|
0
link
|
|
Doctor Dread Administrator Posts: 1478
12/29/2016
|
Chojin wrote:
I support this idea too
Its one of those things we plan to enable right before a launch. You should try to use your "burner" password for now =)
|
|
|
0
link
|
|
Razorix22 Posts: 13
12/21/2019
|
Please excuse-me to dig up this topic, but any plan of implementing it ? 
|
|
|
0
link
|
|
Doctor Dread Administrator Posts: 1478
12/26/2019
|
Razorix22 wrote:
Please excuse-me to dig up this topic, but any plan of implementing it ?
There not only is a plan to implement it, the server itself already is running SSL on another website I control now. I plan on adding one here also soon I just haven't gotten to it yet.
|
|
|
0
link
|
|
unaltered Posts: 5
8/9/2020
|
Hi,
New player - was honestly surprised to see a password field without HTTPS/SSL enabled. I would very much support this.
|
|
|
0
link
|
|
Doctor Dread Administrator Posts: 1478
8/11/2020
|
This is a hot item I know. It'll come with other fixes when they happen
|
|
|
0
link
|