Posted March 25, 2016 I was just renewing and noticed that the website shop is still lacking a secure connection, which carries a risk, though probably low, of account theft via Man in the middle attacks (paypal details are safe but not game accounts) Searching doesnt reveal exactly who is incharge of website/webserver maintainence but whoever if it is might be interested in https://letsencrypt.org/ it allows you to setup FREE automatic security certificates for allmost any webserver who can prove that they controll the domain name (e.g http://shop.wurmonline.com) and could be used to secure all the sites. Im assuming that there is not a current security certificate due to costs of obtaining one 1 Share this post Link to post Share on other sites
Posted March 25, 2016 (edited) When I reported this a year ago I got an answer which was: Quote: We are no idiots!... But it hasn't been fixed yet, so wonder wonder... Edited March 25, 2016 by Sklo:D Share this post Link to post Share on other sites
Posted March 25, 2016 It gets even worse than that! The .jnlp is also only available via http Share this post Link to post Share on other sites
Posted March 25, 2016 Try to log in a few times with wrong password, guess what there is almost no brute force protection at all. This is why I increased all my Wurm passwords over 20 characters. Share this post Link to post Share on other sites
Posted March 25, 2016 Try to log in a few hundred times with wrong passwords, guess what there is almost absolutely no brute force protection at all. personal experience 1 Share this post Link to post Share on other sites
Posted March 25, 2016 Just saying considering how easy it is for anyone with half a brain to do a brute force attack, this topic should probably be hidden until at least noticed by GM's. My suggestion thread was hidden within minutes of me posting it just because of who I am. This thread could actually cause monetary damages, and actual ingame consequences to anyone who is a victim of a brute-force attack from the shop. Unless it's entirely intended which is a different matter altogether. Share this post Link to post Share on other sites
Posted March 25, 2016 1 hour ago, SkirmishesThreadOnly said: Just saying considering how easy it is for anyone with half a brain to do a brute force attack, this topic should probably be hidden until at least noticed by GM's. My suggestion thread was hidden within minutes of me posting it just because of who I am. This thread could actually cause monetary damages, and actual ingame consequences to anyone who is a victim of a brute-force attack from the shop. Unless it's entirely intended which is a different matter altogether. ive emailed rolf about this stuff before and couldnt convince him to make any changes Share this post Link to post Share on other sites
Posted March 25, 2016 (edited) the thing about letsencrypt and ACME protocol it uses is after install its almost completely automatic for anyone with full control of their apache webserver and highly automated for most other cases even done manualy it only takes ~5-10mins every 3 months for each domain 6 hours ago, asdf said: It gets even worse than that! The .jnlp is also only available via http the .jnlp are signed so thats less of an issue as java will get upset of some tries to replace with something else without a reliable signature as https doesnt exactly protect downloads in a way that can't be got around Edited March 26, 2016 by fireblade Share this post Link to post Share on other sites
Posted March 26, 2016 Please fix this Code Club it's inexcusable at this point. You can't be lazy with such things, seriously unacceptable. Share this post Link to post Share on other sites
Posted March 29, 2016 (edited) reasonable but doesn't help against Man in the middle attacks (interception) which https (encryption) protects against the only advice at the moment that will help protect against that is dont use open wifi, or any network where you wouldn't give any user on it your password, when paying for any premium or silver coin Edited March 29, 2016 by fireblade Share this post Link to post Share on other sites
Posted March 31, 2016 Looks as if somebody has added a self-signed cert to the shop... GET A PROPER CERT, it is not difficult. And with Let's Encrypt it is both free, and the renewals can be automated... Share this post Link to post Share on other sites
Posted March 31, 2016 You can't even use https with the shop, seems that the server has some default options enabled. If you would be able to use this certificate then it is useless anyways.... Not trusted Share this post Link to post Share on other sites
Posted April 5, 2016 I was just about to make a thread about the certificates for www.wurmonline.com, forum.wurmonline.com, and shop.wurmonline having various problems, as I tried to sign onto the shop site using HTTPS and encountered certificate errors. Lo and behold, this is a known issue and there's already an active thread. Nice! According to what my web browser has to say about it: Quote forum.wurmonline.com uses an invalid security certificate. The certificate is only valid for dojo.asianefficiency.com Quote shop.wurmonline.com uses an invalid security certificate. The certificate is not trusted because it is self-signed. Quote www.wurmonline.com uses an invalid security certificate. The certificate is only valid for the following names: *.your-server.de, your-server.de The shop.wurmonline.com problem is obviously the most egregious, both in the certificate error and its implications. This is, of course, abjectly unprofessional and inexcusable. While the payment systems themselves may be secure (I can't really tell at the moment), none of the website's subdomains appear to be. In addition, if there seriously is no brute-force protection whatsoever in the Wurm Shop, this would make it extremely trivial for pretty much anyone to take control of pretty much anyone else's account. Even if they can't get at that person's financial data, some people's accounts have control of in-game currency and assets worth hundreds of dollars, not to mention the griefing potential. It's 2016, Code Club. None of this is acceptable, and I really hope it doesn't take a serious security breach or accounts being stolen for them to realize it and do something. However, when this inevitably does happen, at least nobody with control over this will be able to claim ignorance. Code Club: If you want people to sink money into your game, please give them at least a little peace of mind that some idiot script kiddie can't brute-force their password using a TOR client/VPN and a bare minimum of effort. Share this post Link to post Share on other sites
Posted April 5, 2016 Hi all, I've raised this with Rolf, and while there is more backend security (and of course total payment security) we could do a little more in correcting the certificates and setting up https. We'll look at implementing that over the next few weeks. The delay isn't in acquiring the certificate, but setting up the webservers approiately, rest assured though we will be improving this. Share this post Link to post Share on other sites
Posted April 5, 2016 Little security hint: Captcha!!!! Share this post Link to post Share on other sites
Posted April 5, 2016 1 hour ago, Sklo:D said: Little security hint: Captcha!!!! Certainly a step in the right direction. And thanks for the response to this, Retrograde. Share this post Link to post Share on other sites
Posted April 5, 2016 (edited) Client itself has no brute force protection either though and made it really easy to write 'hash' crackers even before the 'hash' function was provided to us with the release of wurm unlimited Was able to do unlimited failed login attempts to observe the output of the 'hash' function in password.txt and write a program to decode hashes based on the results, so I then sent the program and an explanation of how it worked/how it was made to Rolf, urging him to make changes to the hashing function and the ability to repeatedly try wrong passwords to learn about the hash function. This was over a year ago and I emailed him a few more times about this after wurm unlimited was released. Each time his response was essentially that it's inevitable that people will be able to brute force passwords so there's no point in doing anything to improve security. Simply changing the hash function as well as making it actually use your username as a key like it's supposed to would break all current hash crackers, and then temporarily blocking you after x number of failed login attempts would limit users access to the hash function so that even if they did want to make a table of all the possible hashes, it would take a very long time and only be relevant to the one specific username that they were trying it for. It's been over a year though and each time I suggested this stuff to Rolf he turned it down, so I really doubt any change will be made, unless of course publicly posting it like this will spur him into making the proper account security changes. (In which case I'll actually have to start remembering my own passwords instead of just cracking my hash each time I go to buy premium lol) Edited April 5, 2016 by Alexgopen 1 Share this post Link to post Share on other sites
Posted April 6, 2016 All forms of payment (the shop) is in ssh, however the shop is nested inside of the page so you do not see the "https" secure link. As far as the account username/password Keenan and I both are looking at the Web/Client side of things to get some ideas on how to proceed forward and make the Web/Client more secure. 2 Share this post Link to post Share on other sites