Sign in to follow this  
Ostentatio

HTTPS still broken in general (except for store)

Recommended Posts

I don't know whose job this is, but I noticed HTTPS is still broken on most Wurm-related websites, although store.wurmonline.com is fine:

 

  • www.wurmonline.com
    • Wrong subject name(s) specified in certificate
    • Quote

      The certificate is only valid for the following names: *.your-server.de, your-server.de

       

  • forum.wurmonline.com
    • Certificate expired a month ago
    • Quote

      The certificate expired on Sunday, January 01, 2017 11:38 PM. The current time is Tuesday, January 31, 2017 3:33 PM.

       

  • www.wurmpedia.com
    • Wrong subject name(s) specified in certificate, and the ones specified compose a distressingly broad and varied list. What is even happening here? Is the web host using the same certificate for a bunch of hosted websites or something?
    • Quote

      The certificate is only valid for the following names: <EDIT BY O.P.: removed list of domain names since some are weirdo European porn and/or prostitution websites>

       

Edited by Ostentatio
  • Like 1

Share this post


Link to post
Share on other sites
16 minutes ago, Ersitu said:

*whistles nonchalantly* https://certbot.eff.org/

 

forum.wurmonline.com actually already uses a Let's Encrypt certificate; it's just been allowed to expire approximately a month ago.

Share this post


Link to post
Share on other sites

Certbot is awesome because it renews it so easily. Even I can do it! :o

Share this post


Link to post
Share on other sites

Please take a look at this. Security should be a treated as a highly important issue and these are fairly trivial to fix.

Edited by Chakron

Share this post


Link to post
Share on other sites
15 hours ago, Ostentatio said:

and the ones specified compose a distressingly broad and varied list. What is even happening here? Is the web host using the same certificate for a bunch of hosted websites or something?

 

It goes through a CDN (Content Distribution Network), namely those guys, and likely the CDN is issuing a certificate for a set of it's customers so that it can serve their request from the same frontend IPs.

 

It's likely misconfigured, not malicious.

Share this post


Link to post
Share on other sites
7 hours ago, bdew said:

 

It goes through a CDN (Content Distribution Network), namely those guys, and likely the CDN is issuing a certificate for a set of it's customers so that it can serve their request from the same frontend IPs.

 

It's likely misconfigured, not malicious.

 

Yeah, I didn't meant to imply that it was malicious. It just seems like a weird practice, but I don't know enough about web administration to say.

Share this post


Link to post
Share on other sites

www.wurmonline.com now uses https, the forums will be coming soon now that we host them ourselves.

Share this post


Link to post
Share on other sites

Thanks. Note that https://www.wurmonline.com still will not display as a secure website in most browsers because many assets are being served via HTTP. Not a real issue but probably good to fix that to have a good customer-facing experience.

 

I am more concerned about the forums because credentials are actually transferred there. The sad truth is many players probably use the same password for their forum account and game account. I'd argue it's an equal risk as shop.wurmonline.com (which does use HTTPS).

Edited by Chakron
  • Like 1

Share this post


Link to post
Share on other sites

While the risk may seem low, setting up HTTPS is trivial and I cannot overstate how careless you are being by not addressing this issue promptly.

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Chakron said:

While the risk may seem low, setting up HTTPS is trivial and I cannot overstate how careless you are being by not addressing this issue promptly.

 

Is it low priority for Code Club? Or does each employee have to juggle several roles, leaving little time for "low priority" tasks? How does a video game company work? 

/Clueless and curious

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this