Jump to content


NOT SECURE: Forum Website for World of Warplanes

TLS Certificate security man in the middle attack security threat not secure encryption clear text

  • This topic is locked This topic is locked
3 replies to this topic

uberfu #1 Posted 01 March 2021 - 08:10 AM

    Airman Basic

  • Member
  • 274 battles
  • 3
  • Member since:
    09-26-2015

Why is this forum not secure with a TLS Certificate ?

Odd that World of Warships Community Forum website is secured by that 'Planes is not. Odd that both main websites for 'Planes and 'Ships both have TLS Certificates installed but WG stopped short of adding one to the forum site.

Does WarGaming needs some extra cash to pay for said certificate to install on their forum website ?

 

WHAT THIS MEANS FOR PLAYERS:

This means that your login credentials (username and password) are being sent across the Internet in the clear - not encrypted (not scrambled) and that some nefarious party can easily intercept you while you login to your account.

 

Well ... it's a free account. What do I care?

If you've put any significant amount of time or effort into your account assets (planes), leveled them up, modded them, advanced to high tiers; your time is also money and time that could be spent elsewhere not giving attention to WarGaming titles.

 

You Spent Money ... This means that someone could intercept your credentials, login to your account; change said credentials and lock you out of your account. All that hard earned money your put into this game ... poof.  (To be fair - not that video games are typically a money sink anyway - but that's a different topic).

 

This Also Means ... That once someone else has access to your account - any player that had a joint account between 'Planes; 'Tanks; and/or 'Ships - could potentially lose access to all 3 of their acounts and assets.  ESPECIALLY SINCE WG took it upon themselves to consolidate everything into their handy (relatively) newish Game Launcher so that WG could cut down on logistics management (or laziness - you pick).

 

In any event; a simple sever adjustment to add the existing forum domain to the wildcard certificate will fix the problem. Seeing as how WG already bought said wildcard certificate back in January from Digicert.

 

Not sure why the server admins for 'Planes Forum and for 'Tanks Forum were lazy and have not installed the certs yet.  Just seems odd.

 

ADDITIONAL:

Potentially what this also means is that the servers that WG maintains to hold all of their player data might also not be secure.  This is not done via web certificates but through security software and settings and updates and patches installed on the server system itself.

 

For example: A scan of the Warships Forum shows that server still supports older security protocols that have been deprecated recently but overall the server security is decent.

 

Compared to this forum; We could assume that the same server admin team manages all 3 game sites and simply has not gotten to the 'Tanks and 'Planes forums.  We could also assume that different server admin teams manage the different game sites and that the server admin for 'Ships just does their job properly; while the other server admins for 'Tanks and 'Planes either do not know to secure these sites; forgot about it; or are simply not as meticulous as the admin(s) that mange the 'Ships websites.

 

In any case; I for one would rather not have someone come along and dig into my gaming account that I have both invested a ton of time and spent some cash (on 'Ships) only for them to access that account through this insecure website.

 

TO THE SERVER ADMINS:

PLEASE ADD THE "World of Warplanes" FORUM WEBSITE TO THE EXISTING WILDCARD CERTIFICATE THAT WARGAMING PURCHASED IN JANUARY.  Thank You.

 

ALSO - Add the "World of Tanks" Forum to the wildcard certificate that is actively installed on the 'Tanks main website which was purchased back in December.

 

One More Note:  It might be prudent to either keep a running database of what security certificates the server admins maintrain and what servers they maintain them on (or should); to make certain that they don't miss one in the future.

Also - Digicert includes a certificate management tool that essentailly let's someone set up a cert on a server and sends out renewal/expiration reminders; and will even automatically up;date the certificates on the fly so that user error doesn't fail to install them.



Captain_Underpants53 #2 Posted 01 March 2021 - 09:59 AM

    Major

  • Member
  • 37232 battles
  • 6,136
  • [USMIL] USMIL
  • Member since:
    04-17-2017

View Postuberfu, on 01 March 2021 - 03:10 AM, said:

Why is this forum not secure with a TLS Certificate ?

Odd that World of Warships Community Forum website is secured by that 'Planes is not. Odd that both main websites for 'Planes and 'Ships both have TLS Certificates installed but WG stopped short of adding one to the forum site.

Does WarGaming needs some extra cash to pay for said certificate to install on their forum website ?

 

WHAT THIS MEANS FOR PLAYERS:

This means that your login credentials (username and password) are being sent across the Internet in the clear - not encrypted (not scrambled) and that some nefarious party can easily intercept you while you login to your account.

 

Well ... it's a free account. What do I care?

If you've put any significant amount of time or effort into your account assets (planes), leveled them up, modded them, advanced to high tiers; your time is also money and time that could be spent elsewhere not giving attention to WarGaming titles.

 

You Spent Money ... This means that someone could intercept your credentials, login to your account; change said credentials and lock you out of your account. All that hard earned money your put into this game ... poof.  (To be fair - not that video games are typically a money sink anyway - but that's a different topic).

 

This Also Means ... That once someone else has access to your account - any player that had a joint account between 'Planes; 'Tanks; and/or 'Ships - could potentially lose access to all 3 of their acounts and assets.  ESPECIALLY SINCE WG took it upon themselves to consolidate everything into their handy (relatively) newish Game Launcher so that WG could cut down on logistics management (or laziness - you pick).

 

In any event; a simple sever adjustment to add the existing forum domain to the wildcard certificate will fix the problem. Seeing as how WG already bought said wildcard certificate back in January from Digicert.

 

Not sure why the server admins for 'Planes Forum and for 'Tanks Forum were lazy and have not installed the certs yet.  Just seems odd.

 

ADDITIONAL:

Potentially what this also means is that the servers that WG maintains to hold all of their player data might also not be secure.  This is not done via web certificates but through security software and settings and updates and patches installed on the server system itself.

 

For example: A scan of the Warships Forum shows that server still supports older security protocols that have been deprecated recently but overall the server security is decent.

 

Compared to this forum; We could assume that the same server admin team manages all 3 game sites and simply has not gotten to the 'Tanks and 'Planes forums.  We could also assume that different server admin teams manage the different game sites and that the server admin for 'Ships just does their job properly; while the other server admins for 'Tanks and 'Planes either do not know to secure these sites; forgot about it; or are simply not as meticulous as the admin(s) that mange the 'Ships websites.

 

In any case; I for one would rather not have someone come along and dig into my gaming account that I have both invested a ton of time and spent some cash (on 'Ships) only for them to access that account through this insecure website.

 

TO THE SERVER ADMINS:

PLEASE ADD THE "World of Warplanes" FORUM WEBSITE TO THE EXISTING WILDCARD CERTIFICATE THAT WARGAMING PURCHASED IN JANUARY.  Thank You.

 

ALSO - Add the "World of Tanks" Forum to the wildcard certificate that is actively installed on the 'Tanks main website which was purchased back in December.

 

One More Note:  It might be prudent to either keep a running database of what security certificates the server admins maintrain and what servers they maintain them on (or should); to make certain that they don't miss one in the future.

Also - Digicert includes a certificate management tool that essentailly let's someone set up a cert on a server and sends out renewal/expiration reminders; and will even automatically up;date the certificates on the fly so that user error doesn't fail to install them.

I hope they listen but ......... :sceptic:

 

Great post.  Too bad they won't leave it up.   :medal:


MSgt, USAF, (ret)

losttwo #3 Posted 01 March 2021 - 11:14 AM

    which way do we go?

  • Community Ace
  • 11657 battles
  • 15,683
  • [S-S-G] S-S-G
  • Member since:
    05-15-2012

A TLS certificate only verifies that Wargaming owns Wargaming and that it is a true and actual web sight and company.

 

For the layman and people like me explanation: it would be like an ID badge for an employee to get into their job sight.

 

It does actually nothing to stop bad guys from doing bad things. Nor will it help in recovering from what ever damage the bad guy did. 

 

The entire Wargaming system is as secure as any of the other systems out there. 

Such as FB, Twit, Tok, Devintart, You name it it is all equally secure or unsecure. 

Whatever your perception is, 

 

 

 



blindfoId #4 Posted 01 March 2021 - 11:23 AM

    Second Lieutenant

  • Administrator
  • 8 battles
  • 1,632
  • Member since:
    07-19-2018

Dear uberfu,

 

You log into the forum through a separate secure web-page where you enter your credentials (unless it is saved in your browser, that depends on your personal settings), so the access to your personal account data has nothing to do with the forum. If you require any further information, feel free to contact Customer Support Service :honoring:






1 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users