StarGateWars Forums

Well, here's hoping I am posting this in the right place. I must say I was a little surprised not to find any posts on this subject.

Now then, there are actually two things I wanted to suggest. Both relate to increasing security of players passwords and accounts.

I'll start with the minor thing first. In the ascended server, when the entry code is correct but the name, email, or pass is incorrect it returns an error message to the login screen. In that error message, it includes plain text versions of the name, email, and pass. If someone where to login at a public place (say a cyber cafe) it is possible that someone could read the information and use it maliciously. I would ask that that portion of the error message be removed as it apparently has been done on the main server's login.

The second thing refers to a more general security hole. Using HTTP for the login page is not ideal. It is entirely possible that someone to intercept a player's login information when it is being sent to the server. This is even more dangerous for those who use the same password for their email accounts. The solution of this is relatively simple.

Have people login using HTTPS. HTTPS will encrypt the data and prevent people who might be searching for user names and passwords from learning your information.

Sounds great right?
Well, there is a downside and possibly the reason why it has not already been implemented. Most browsers will check with a certificate authority to see if the site that is using HTTPS has registered with them. If not, then the browser will display a warning saying that the certificate is not trusted. Most people who know little about the internet to the site may be scared off by this warning and thus might stop playing.

So ideally, if the Admin where to implement HTTPS he would pay the fee to get on a certificate authority's list (which may range from 13USD-1500USD per year according to wikipedia). He could also register with a free certificate authority, but free certificate authorities are not checked by all web-browsers so warning messages will still pop-up on a percentage of computers. Lastly, he could implement HTTPS and just assign his own certificates. This means most people would get the warning messages. However, I think the majority of the players will complain (probably in the bugs section) before abandoning gatewars.

Dracons wrote:Well, here's hoping I am posting this in the right place. I must say I was a little surprised not to find any posts on this subject.

Now then, there are actually two things I wanted to suggest. Both relate to increasing security of players passwords and accounts.

I'll start with the minor thing first. In the ascended server, when the entry code is correct but the name, email, or pass is incorrect it returns an error message to the login screen. In that error message, it includes plain text versions of the name, email, and pass. If someone where to login at a public place (say a cyber cafe) it is possible that someone could read the information and use it maliciously. I would ask that that portion of the error message be removed as it apparently has been done on the main server's login.

The second thing refers to a more general security hole. Using HTTP for the login page is not ideal. It is entirely possible that someone to intercept a player's login information when it is being sent to the server. This is even more dangerous for those who use the same password for their email accounts. The solution of this is relatively simple.

Have people login using HTTPS. HTTPS will encrypt the data and prevent people who might be searching for user names and passwords from learning your information.

Sounds great right?
Well, there is a downside and possibly the reason why it has not already been implemented. Most browsers will check with a certificate authority to see if the site that is using HTTPS has registered with them. If not, then the browser will display a warning saying that the certificate is not trusted. Most people who know little about the internet to the site may be scared off by this warning and thus might stop playing.

So ideally, if the Admin where to implement HTTPS he would pay the fee to get on a certificate authority's list (which may range from 13USD-1500USD per year according to wikipedia). He could also register with a free certificate authority, but free certificate authorities are not checked by all web-browsers so warning messages will still pop-up on a percentage of computers. Lastly, he could implement HTTPS and just assign his own certificates. This means most people would get the warning messages. However, I think the majority of the players will complain (probably in the bugs section) before abandoning gatewars.

I'm against this. Why would anyone go through the trouble of intercepting login information for SGW? For bank details, maybe, but not for a browser game.

SGW already has enough safety measures - referrer checking, overwriting cookies each time you visit main page, etc...

CABAL wrote:I'm against this. Why would anyone go through the trouble of intercepting login information for SGW? For bank details, maybe, but not for a browser game.

Good point, I was reluctant to even post this because that thought crossed my mind while typing it up.

However, it is also true that people tend to reuse passwords and user names quite often. For example, they may use the same password as their XBOX Live account or email. Either of which people could use to do some very bad things.

Of course, that would be the fault of the player and their ignorance. The Admin has no obligation to ensure that player's information is secure in transit. I would not expect that the Admin would be willing to pay for a certificate either. I would just be very happy if the Admin would support HTTPS.

In hindsight, it might be a better compromise to allow for the option to login through HTTPS and keep HTTP as default. If that were the case, then those who do not care about keeping their login information secure could still use the default HTTP while those who were a little more paranoid could use HTTPS. If this system were used, the need to pay for a certificate from a well known certificate authority would be less important.

Well, if you do that, admin could just sign his own authentication.

True enough. My second post is probably a better all around solution than my first. Guess I got a little carried away at first. Thanks for pointing out the over compensation in my first post CABAL.

the page isnt coded in html, its coded in php...

the browser converts the visible parts to html, but the real code is still php...

HTTP (Hyper Text Transfer Protocol) is not the same thing as HTML(Hyper Text Markup Language). HTML is the data that your web browser puts together to render the web page. HTTP is how that data is transported between the server to your browser. HTTPS (Hyper Text Transfer Protocol Secure) is an encrypted version of HTTP.

Also, the browser does not convert the visible parts of PHP (PHP: Hypertext Preprocessor) to HTML. That would be the server. Then the server sends an HTML page to your browser.

HTTPS would be a waste of an investment. The extra security not worth the cost of setup and maintenance.

It should be user security to not use important passwords for something trivial (eg. this game)

it is a good idea, and in a perfect world it would be viable. But there are many projects I have worked on that are more important than this game and HTTP served the purpose perfectly well.

Dracons wrote:In the ascended server, when the entry code is correct but the name, email, or pass is incorrect it returns an error message to the login screen. In that error message, it includes plain text versions of the name, email, and pass. If someone where to login at a public place (say a cyber cafe) it is possible that someone could read the information and use it maliciously. I would ask that that portion of the error message be removed as it apparently has been done on the main server's login.

This problem has not been taken care of as of yet. It really just got ignored. Thought I would bump it for awareness sake.

If it is not going to be fixed, I would appreciate someone telling me as much. That way I can stop bothering people by making such posts as this.

Dracons wrote:

Dracons wrote:In the ascended server, when the entry code is correct but the name, email, or pass is incorrect it returns an error message to the login screen. In that error message, it includes plain text versions of the name, email, and pass. If someone where to login at a public place (say a cyber cafe) it is possible that someone could read the information and use it maliciously. I would ask that that portion of the error message be removed as it apparently has been done on the main server's login.

This problem has not been taken care of as of yet. It really just got ignored. Thought I would bump it for awareness sake.

If it is not going to be fixed, I would appreciate someone telling me as much. That way I can stop bothering people by making such posts as this.

M8 I haven't tested for some time but i bet that you still can log in with just the first letter of your login name in username on both servers.

I haven't checked tho but that issue been there for so long i can remember that people not really wanting to write there full username just write first letter then skip to email and password where they fill full informations.

But do not count me on that in case it has been fixed.

Nimras wrote:M8 I haven't tested for some time but i bet that you still can log in with just the first letter of your login name in username on both servers.

But do not count me on that in case it has been fixed.

I tested it and it is still a problem.

You can put any substring of the user name that starts with the first letter of the user name in the user name field and it will let you log in as long as a valid email and password that match that substring are provided.

Well, that's a little revealing about how the database is queried.

So that makes two security risks that should be fixed.

Dracons wrote:

Nimras wrote:M8 I haven't tested for some time but i bet that you still can log in with just the first letter of your login name in username on both servers.

But do not count me on that in case it has been fixed.

I tested it and it is still a problem.

You can put any substring of the user name that starts with the first letter of the user name in the user name field and it will let you log in as long as a valid email and password that match that substring are provided.

Well, that's a little revealing about how the database is queried.

So that makes two security risks that should be fixed.

agreed!

Dracons wrote:Well, that's a little revealing about how the database is queried.

SQL Injection time!

vby injection u can wipe a lot lol
the game doesnt have any kind of security is pure plain txt not protected as i see.
and when ppl say why bothering then how much is worth yr account?
mine si 400$

Lithium wrote:vby injection u can wipe a lot lol
the game doesnt have any kind of security is pure plain txt not protected as i see.
and when ppl say why bothering then how much is worth yr account?
mine si 400$

Have you wasted money on this game?

No offense my account is worth 0$ on the fact i haven't used one dime on the game its plaine text not worth it.