1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Redirect HTTP to HTTPS

Discussion in 'Suggestion Box' started by Daerandin, Nov 22, 2020.

  1. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,001
    Likes Received:
    179
    Trophy Points:
    63
    Location:
    Northern Norway
    Home page:
    I have noticed that this website does not automatically redirect to the https version of the website. I don't know if this is by design, leaving it up to the users if they wish to visit the website over plaintext or not, but it is common practice to automatically redirect to https as long as it is available.

    A lot of users might not even be aware of this, and if they login over http then their password is sent as plaintext, and easily intercepted.
    booman likes this.
  2. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,844
    Likes Received:
    562
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    Thanks for the heads up Daerandin!
    I will contact Gizmo and see if he can setup HTTPS in the DNS hosting for us.
    Daerandin likes this.
  3. Gizmo

    Gizmo Chief Site Administrator Staff Member

    Joined:
    Dec 6, 2012
    Messages:
    2,083
    Likes Received:
    128
    Trophy Points:
    63
    Location:
    Webb City, Missouri
    Home page:
    Darandin,
    Thanks for your observations.

    1st, GOL doesn't send unencrypted passwords, whether you are using HTTP or HTTPS. This has been true for many years, and was true of AOA as well. We compute a salted hash in the browser, and exchange that with the server.
    2nd, as you guess, we have left the use of HTTP or HTTPS at the user's discretion up to this point.

    As you point out, it's probably time to revisit that policy.
    Daerandin likes this.
  4. Daerandin

    Daerandin Well-Known Member

    Joined:
    Oct 18, 2013
    Messages:
    1,001
    Likes Received:
    179
    Trophy Points:
    63
    Location:
    Northern Norway
    Home page:
    Great to hear that passwords are handled by JavaScript before being sent over the net. Personally I have no issues with regular old HTTP being available as long as there are no plaintext passwords being sent.
  5. booman

    booman Grand High Exalted Mystic Emperor of Linux Gaming Staff Member

    Joined:
    Dec 17, 2012
    Messages:
    7,844
    Likes Received:
    562
    Trophy Points:
    113
    Location:
    Linux, Arizona
    Home page:
    Thanks for taking a look at this Gizmo!

Share This Page