Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Why is Dwarf Fortress still using HTTP?  (Read 1163 times)

bertbarend

  • Escaped Lunatic
    • View Profile
Why is Dwarf Fortress still using HTTP?
« on: April 14, 2019, 12:33:04 pm »

Hello,

I recently started playing Dwarf Fortress and i'm really liking it so far but when I visited the website I asked myself something, Why is HTTP still being used on the website and forums etc?
This is still a major security issue because the data stream can be intercepted, including passwords.

Regards, Bert
Logged

Quietust

  • Bay Watcher
  • Does not suffer fools gladly
    • View Profile
    • QMT Productions
Re: Why is Dwarf Fortress still using HTTP?
« Reply #1 on: April 14, 2019, 07:02:52 pm »

It wasn't too long ago that Let's Encrypt didn't yet exist, and SSL certificates were expensive and troublesome to configure - things have changed since then, but there probably hasn't been an overwhelming desire to update the forums.

I wouldn't characterize it as a "major" security issue, since it's unlikely to be a problem unless you're connected to a public network. Also, the main website doesn't require any credentials at all - only DFFD and the Forums require a login to post, and those credentials probably aren't of extremely high value (and they should be useless everywhere else if you're using unique passwords on every website you visit).

There's also the fact that using SSL results in extra load on the server (since it has to encrypt all of the data it sends you), and it can also prevent the use of CDNs to reduce network traffic. Somebody recently remarked that the Dwarf Fortress Wiki also didn't use HTTPS, and it was explained that the advertisements used on it (which are necessary to fund its continued operation) didn't support it (and thus would have failed to work) - that's currently not an issue with Bay12, but it's still an example of something that could prevent the use of HTTPS.

Note that I'm not trying to suggest that these forums shouldn't use HTTPS, just that there are any number of reasons why they weren't set up that way - it's also possible that Toady wants to use it, but hasn't been able to spend the time necessary to configure it (being busy working on the game itself).
« Last Edit: April 14, 2019, 07:05:16 pm by Quietust »
Logged
P.S. If you don't get this note, let me know and I'll write you another.
It's amazing how dwarves can make a stack of bones completely waterproof and magmaproof.
It's amazing how they can make an entire floodgate out of the bones of 2 cats.

Loci

  • Bay Watcher
    • View Profile
Re: Why is Dwarf Fortress still using HTTP?
« Reply #2 on: April 15, 2019, 09:00:27 pm »

Why is HTTP still being used on the website and forums etc?

Well, first off bay12games is already available over SSL:

https://www.bay12games.com/

Your browser will likely post a warning because the certificate is untrusted and expired, or it may claim the site is "unavailable" for your "safety". The forums, however, do not support SSL (which is rather backwards, really).

More to the point, though, compulsory encryption has drawbacks. In addition to those mentioned by Quietust, it breaks support for old browsers without the latest-and-greatest security protocols, like old tablets and cell phones. While that is understandable for a site that actually *needs* security, it's quite frustrating when sites demand top-quality encryption to display public information with no realistic risk. Browsers also tend to post annoying warnings when "insecure content" is included in a "secure" page--like pictures included in a forum post. 

Logged