Keep it clean
If you believe that a wish duplicates another one or is not meant for the category, use Options button above to report a duplicate or spam.
Add your wish
If there is an item you wish to have on GOG.com and it’s not yet on the wishlist, please add your wish
HTTPS browsing of the whole site completed
GUUD !!
all announcement pages still have direct links to unsecure http
Yes...added security would be good....not that it will be fool proofed, but at least the noob hackers can be driven out that way..
The entire GOG website appears to be https now I believe. I do use HTTPS Everywhere mind you, so I can't rule out https pages containing http links. If there are any though they could fix them all simply by changing all <a href=""http://"" class="light_un" target="_blank">"http://"</a> and <a href=""https://"" class="light_un" target="_blank">"https://"</a> in their page code to just "//:" and let the server/browser sort it out automatically the modern 2015 way. :)
I was really shocked to see neither https nor checksums properly implemented. You can manually obtain the xml with the md5 checksum but even that file can only been retrieved over http.
I'm using NoScript to enforce https on this site, which works fine. HTTPS Everywhere and similar tools should work as well.
The site should be https _by default_, however (if it isn't already, idk).
This is a no brainer.
This page is https for me. I am logged in, and all GOG pages open with “https://” in front.
It still use some insecure content, but blocking it don't break the site.
Yes definitely!
HTTPS is becoming standard. Please be ahead of the curve GOG!
HTTPS doesn't work anymore on the main page, only the forums and account. It never worked very well but now it doesn't work at all.
Mozilla phases out insecure HTTP: blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
Come on GOG, it's a prime time to fix this mess.
Chrome will eventually start marking HTTP sites as insecure (see [1]) and it's likely that other browsers will follow suite.
[1] www.chromium.org/Home/chromium-security/marking-http-as-non-secure
This should be in the technical requests section...
Oh right! There is none! We need a technical requests section, so these and less known technical requests don't get swamped.
So vote for the request I added: "Add a technical feature-request section! For crowdsourcing development!"...
You can use HTTPS Everywhere and a VPN (Private Internet Access is the best) to improve your security. GOG seems to have its fair share of online tracking :(
I'll just leave it here, www.httpvshttps.com/ - HTTP/2 is coming :D
It really shouldn't be that hard to fix. Why is this still broken?
Google changed their ranking algorithm recently, adding HTTPS to pages will also boost their Google ranking a little. (https://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html)
It's better now, but still quote broken.
Sadly, the majority of SSL enabled websites on the web are insecure (Reference: www.trustworthyinternet.org/ssl-pulse/ ), which I believe is because the sites are more or less set up once to run and then focus is placed on maintaining content with security being an afterthought, and SSL being seen as a magic bullet of protection just to have it at all (whether or not it is set up correctly or properly secured). In addition, new threats appear all the time and if someone is not monitoring the security mailing lists and staying on top of security technology they aren't going to be noticing just how insecure their SSL deployment is or doing anything about it until *after* a major security breach of customer information/account credentials occurs. We see this time and time again online with even the largest of corporations, such as the recent Target franchise breaches and theft of credit card info.
It's sad to say but the majority of SSL enabled websites online are SSL security theatre, with no actual security, and both webmasters and even end customers alike will downplay the actual security threats due to lack of understanding of what they actually are. The SSL Pulse website I linked to above intends to help correct this problem over time via educating people of the actual real world threats out there.
Man in the middle attacks against SSL aren't new, but it seems that webmasters are practically unaware the attacks exist at all, or they just can't see in their own minds how someone could successfully carry one out, thinking there are only limited situations in which one would be in the position to even do an MITM attack. This doesn't match reality however, as just about everyone and their brother uses portable devices over WIFI in public places these days, which presents a huge threat enabling just about anyone to do MITM attacks against unsuspecting victims as was demonstrated against Facebook and other big sites a few years ago and ultimately lead to them SSL enabling the entire site (properly) and making it the default. Tor users, users of proxies are also prime targets for MITM attacks with or without SSL. Look at the percentage of SSL enabled webservers out there that are still to this day vulnerable to the BEAST attack now several years since it was disclosed, with seemingly nobody who runs an SSL enabled site caring whatsoever.
So the GOG website's SSL deployment is rather deplorable and insecure but the majority of the Internet is in just as bad or worse of a state sadly. Log into Steam and watch it redirect you to non-SSL pages that can have the credentials hijacked also.
It's disconcerting that this is the case, but ultimately what is going to happen is that one website at a time, people of malicious intent are going to hijack the sessions of people (whether or not those people or the website administrators are aware of the problem or even care) and they will cause data breaches to occur. Those breaches will hit the mainstream media giving the site in question a huge black eye. They'll lick their wounds, hire security consultants to fix the problems post-facto and hopefully get it right, with some nice battle scars to impress the ladies with later on.
I dunno how informed the GOG admins are, or if it's just a case of too much work too little time, but hopefully they sort this out sooner rather than later. Hopefully Valve sorts it out on Steam too.
I'm not so sure about the statements that "full HTTPS would not be required/overkill and be a performance hit", see: www.troyhunt.com/2011/11/owasp-top-10-for-net-developers-part-9.html (especially the lower third of the page regarding unsecured entry and redirect risks, the HSTS initiative and Google's performance statement)
@HGiles. I was thinking it was just me. I had GOG enabled in HTTPSEverywhere with a custom rule, but now I need to disable it to login. :-(
GOG did have a semi-secure version of the site, but the new sale has now broken it. Dang it GOG, what are you thinking? You can code better than this.
This is more important than ever and I hope the GOG team will devote some resources to make the whole GOG website accessible via HTTPS.
As I think we're all learning, being able to keep data off other people's servers is actually important. :)
The session cookie is sent in plain text. Having the cookie is just as good as having your login, so anyone who sees your network traffic can gain access to your account (lan arp spoofing, wifi hotspot sniffing). To prove my point, I hijacked my session just by ctrl+c ctrl+v-ing the two gog cookies into another browser, giving direct access to my account. My browser does not support HTTPS-Anywhere, so it would be nice if going manually to secure.gog.com would make all the links stay on secure.gog.com.
For the "Why?" questions; quite a lot of us live in countries where ISPs are required by (misguided) law to log all activity (actually only metadata, like what page was requested). Thus, https or vpn servers in different countries are required for basic privacy when browsing the web.
While gog isn't exactly a high-value target, there are countries that habitually use man-in-the-middle attacks to identify users making anonymous posts to websites. This is also defeated by both https and vpns.
While the vpn solution works great for anyone sufficiently capable and competent to use it, https on web pages ensures privacy (to the extent it is practical) for any user of the site.
Like testtest says, theres no need for encryption over every single page. Not to mention it disallows the use of caching at all levels of page retrieval: database, server, proxies and browser. This would create a huge and entirely unnecessary load on gog's website.
It looks like GOG is moving forward with this. The new secure.gog.com is a great step, but so far is only available for certain sections (Account, main page). If at some point everything done while logged in is encrypted, I'll be very thankful. And for those who think that htps everywhere is unneeded or overkill for servers, you might want to read about the subject. The extra load is not that significant and the main benefit is that your session cookies are no longer sent around in the clear. Even if they are cyphered when sent to GOG, giving access to static information containing your presonal data could compromise it. People not worried about those issues can use the regular site and not suffer any response delays, but I'd rather have all my pages secured in 10 seconds than plain text in 2.arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/
Maybe not the whole site (which would be awesome), but at least set https as mandatory for login (which actually is not, and this is a huge security hole)
https is cpu-bound - both for Your computer and gog servers. AFAIK all crucial data is being sent via https protocol. I can see secure.gog.com domain Imo there is no need to allow to use https on every URL
I don't think the store-browsing portion would benefit anything from a secure connection... And forum threads are publicly available anyway so securing that makes no sense, also the PM system already uses HTTPS. So in general anything that you want to do in private on gog.com is already secured. If you are afraid someone does XSS than that would be a browser problem... someone will try to hijack a store page in a man-in -the-middle attack? an adversary might as well opt to hijack your entire DNS request for gog.com since DNSSEC isn't supported by most DNS-zones. So that wouldn't make anything more secure...
Lovely idea, it would cause me to recommend GoG even more and I know a few folks who might support GoG over other services for a move like this.
Especially the login should be protected by https.
The problem is that GOG has no HTTPS version of most pages, so using one of those extensions is futile in here. Those extensions try to translate all http requests to the secure equivalent, which just isn't there.
You can force sites to always use HTTPS by creating a rule in this Firefox and Chrome extension https://www.eff.org/https-everywhere I haven't tried making a rule for GOG.com myself though and as the FAQ GOG.com explains the site has to already have a certain level of support of HTTPS for the extension to work.
Why not? It's a simple change and it provides better security. Remember that everything you browse over http (not https) is transmitted in clear text.
Why?
39 comments about this wish