site-wide SSL Thread

	Posts
site-wide SSL (Forums : Suggestions : site-wide SSL)	Locked
Thread Options
thatdude	Oct 1 2011 Anchor
Please provide site-wide usage of SSL (https). This has two benefits: Users would no longer be vulnerable to session hijacking, such as from Firesheep, which they currently are. Most firewalls/internet filters don't block SSL traffic so this would let users browse Desura's website from work/school. More information on how vulnerable your users are is available here: Eff.org
TheHappyFriar :)	Oct 1 2011 Anchor
Don't you find it strange that the site that makes FireSheep doesn't use HTTPS? EFF doesn't use HTTPS either. All you need to install then is a keylogger to get users name/password and the people most vulnerable to hacks are the ones who go to questionable sites. Questionable being ones that normally do warez & porn. -- Go play some Quake 2: q2server.fuzzylogicinc.com It's like Source v0.9, only... better! Play Paintball for Doom 3!: d3server.fuzzylogicinc.com Doom 3 Paintball to the Max!
Greg Network Engineer	Oct 1 2011 Anchor
Sitewide SSL is good in theory, but it has drawbacks: 1) We would need to effectively double the number of servers we have and also purchase SSL accelerator cards because serving things like media via SSL is painfully slow and heavy on CPU. Yes i've read the comments on the Firesheep page saying Google implemented it site wide with no impact, but unfortunately we do not have the resources of Google to implement and code our own SSL engines. 2) Users would experience significant slowness on our site compared with non-SSL browsing. Not everyone uses Google Chrome with the enhanced SSL speedups. 3) the Desura/modb login systems and cookies are all encrypted and also have additional security features such as crumbs - I just tested the firesheep tool on my home network and it was unable to intercept a desura/moddb cookie. Edited by: Greg -- Greg DBolical Network Engineer
thatdude	Oct 1 2011 Anchor
@TheHappyFriar: No, it is not strange because you are wrong. They both support SSL (https) as you can see: thatdude wrote: More information on how vulnerable your users are is available here: Eff.org The hyperlink takes you to an https website. And Firesheep has one too here:https://codebutler.com/firesheep Though it will generate a warning because it was assigned for *.posterous.com & posterous.com instead of the domain that is using it. It will still allow for encrypted communication even though it isn't needed because they don't sell anything or have users with accounts to login to, unlike Desura. Maybe try following links in posts to see what they are about before you make blind accusations. Also SSL isn't supposed to stop keylogging, it is session hijacking, meaning more or less internet identity theft. Please also learn meanings of terms before again, making up junk. EDIT: Thanks for the feedback Greg, I'm glad to see at least this issue was considered by Desura. Hopefully when you guys grow in the future you guys can make the change so I can browse from work Edited by: thatdude

Thread Options

thatdude

Oct 1 2011 Anchor

Please provide site-wide usage of SSL (https). This has two benefits:

Users would no longer be vulnerable to session hijacking, such as from Firesheep, which they currently are.
Most firewalls/internet filters don't block SSL traffic so this would let users browse Desura's website from work/school.

More information on how vulnerable your users are is available here: Eff.org

TheHappyFriar :)

Oct 1 2011 Anchor

Don't you find it strange that the site that makes FireSheep doesn't use HTTPS? EFF doesn't use HTTPS either. :flame: All you need to install then is a keylogger to get users name/password and the people most vulnerable to hacks are the ones who go to questionable sites. Questionable being ones that normally do warez & porn.

--

Go play some Quake 2: q2server.fuzzylogicinc.com
It's like Source v0.9, only... better!
Play Paintball for Doom 3!: d3server.fuzzylogicinc.com
Doom 3 Paintball to the Max!

Greg Network Engineer

Oct 1 2011 Anchor

Sitewide SSL is good in theory, but it has drawbacks:

1) We would need to effectively double the number of servers we have and also purchase SSL accelerator cards because serving things like media via SSL is painfully slow and heavy on CPU. Yes i've read the comments on the Firesheep page saying Google implemented it site wide with no impact, but unfortunately we do not have the resources of Google to implement and code our own SSL engines.
2) Users would experience significant slowness on our site compared with non-SSL browsing. Not everyone uses Google Chrome with the enhanced SSL speedups.
3) the Desura/modb login systems and cookies are all encrypted and also have additional security features such as crumbs - I just tested the firesheep tool on my home network and it was unable to intercept a desura/moddb cookie.

Edited by: Greg

--

Greg
DBolical Network Engineer

thatdude

Oct 1 2011 Anchor

@TheHappyFriar: No, it is not strange because you are wrong. They both support SSL (https) as you can see:

thatdude wrote: More information on how vulnerable your users are is available here: Eff.org

The hyperlink takes you to an https website.
And Firesheep has one too here:https://codebutler.com/firesheep
Though it will generate a warning because it was assigned for *.posterous.com & posterous.com instead of the domain that is using it. It will still allow for encrypted communication even though it isn't needed because they don't sell anything or have users with accounts to login to, unlike Desura.

Maybe try following links in posts to see what they are about before you make blind accusations.

Also SSL isn't supposed to stop keylogging, it is session hijacking, meaning more or less internet identity theft. Please also learn meanings of terms before again, making up junk.

EDIT: Thanks for the feedback Greg, I'm glad to see at least this issue was considered by Desura. Hopefully when you guys grow in the future you guys can make the change so I can browse from work

Edited by: thatdude