Forums

SUGGESTION: Use proper SSL/TLS

Quick find code: 278-279-567-65990681

of 2
Im Tiny
Mar Gold Premier Club Member 2017

Im Tiny

Posts: 6Bronze Posts by user Forum Profile RuneMetrics Profile
Louiellen said:
Every notable site will come to the point that they will have no choice, but to implement https everywhere. That is the direction where the industry is headed, there is no valid reason not to implement it. Those that cannot buy certificates due to financial constraints can use free certs from Let's encrypt.

I would not like to see the day comes that major browsers will mark Runescape with an ugly "insecure" icon. It will be a major turn-off and will further negatively lessen traffic towards Runescape.


Especially since Runescape is a massive target for phishing sites. The gold, even though a game item, it worth their time to steal and sell. Having this encryption would not only cut off their ability to spoof the website, it helps with loads of other security issues and ratings. Hope someone from Jagex can see this and suggest it to someone that can do something haha.

23-Feb-2018 06:00:25

Nawty Psycho
Sep Gold Premier Club Member 2017

Nawty Psycho

Posts: 614Steel Posts by user Forum Profile RuneMetrics Profile
Im Tiny said:


Nawty Psycho said:
Im Tiny said:
TLS is the child of SSL and as a whole in the industry it is still referred to as SSL when securing your website/server. That's why they are called SSL Certificates and not TLS Certs. But regardless of the specific type, they NEED to switch to HTTPS only site-wide and use the greenbar with title certificate they already have. It's ridiculous that its not that way already.

TLS is successor to SSL. SSL is outdated and is proven to not be secure by Google.

Not sure if you actually read what I said? TLS is the protocol used, but its all under the widely used banner of SSL Certificates, not TLS Certificates. When mentioning HTTPS, secure connections, SSL is an umbrella term for secure encryption from browser to server. Please try and stay on topic.


Many people might still call it SSL, doesn't mean that it actually is that. Also you said TLS was part of SSL, which is also wrong. They are both independent and from different companies. Also I have already brought this topic up before. Do some forum searches, before posting same thing over and over again.
Entire RS homepage and forums need a rework, so I doubt they will bother updating the old website (unless they really are that lazy), when time comes to update.

PS: SSL is also still used by some websites.
I don't trust easily, so when I tell you I trust you, don't make me regret it.

23-Feb-2018 08:15:54 - Last edited on 23-Feb-2018 08:16:34 by Nawty Psycho

Im Tiny
Mar Gold Premier Club Member 2017

Im Tiny

Posts: 6Bronze Posts by user Forum Profile RuneMetrics Profile
Nawty Psycho said:
Many people might still call it SSL, doesn't mean that it actually is that. Also you said TLS was part of SSL, which is also wrong. They are both independent and from different companies. Also I have already brought this topic up before. Do some forum searches, before posting same thing over and over again.
Entire RS homepage and forums need a rework, so I doubt they will bother updating the old website (unless they really are that lazy), when time comes to update.

PS: SSL is also still used by some websites.


The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. The entire web industry refers to it as SSL still as its a blanket term for browser encryption. Please stop being hung up on semantics, okay? Thanks.

A simple search of the term "ssl" shows only this thread, so searching has done nothing for me like you suggested it would but thanks.

The entire website and forums just had a major overhaul a year ago and it wasn't added then either, and in a couple months they will be forced to do it or get an insecure icon which I'm sure they would love to avoid.

If this is something you support, simply post supported and move on, instead of trying to derail my thread with semantics on whether my title should have read SSL or TLS since the terms are interchangeable with regards to the context I've posted. MY points still stand.

Sites using older versions of SSL such as SSLv1 and SSLv2 get big red warning pages on all browsers including internet explorer now and we are moving that direction with all but the latest TLS versions as well, obviously some people use them but that doesn't mean its a good practice or what I was suggesting at all either.

Now.. enough derailing and lets stay on topic please,
@Jagex start using HTTPS only

23-Feb-2018 19:46:49

Archaeox
Dec Gold Premier Club Member 2011

Archaeox

Posts: 46,322Sapphire Posts by user Forum Profile RuneMetrics Profile
Original message details are unavailable.
Yes, we want to make the site HTTPS and of course we take security seriously, we haven't yet however had the opportunity to push this site-wide.

Anything we develop in the future will be (where is technically possible due to integration with old systems) created with HTTPS in mind.

We've already begun this process with our pages such as Eastern Lands and RuneMetrics

~~~~ Just another victim of the ambient morality ~~~~
~~ Founder of the Caped Carousers quest cape clan ~~

24-Feb-2018 13:05:05

Louiellen

Louiellen

Forum Moderator Posts: 50,867Emerald Posts by user Forum Profile RuneMetrics Profile
Im Tiny said:
Nawty Psycho said:
Many people might still call it SSL, doesn't mean that it actually is that. Also you said TLS was part of SSL, which is also wrong. They are both independent and from different companies. Also I have already brought this topic up before. Do some forum searches, before posting same thing over and over again.
Entire RS homepage and forums need a rework, so I doubt they will bother updating the old website (unless they really are that lazy), when time comes to update.

PS: SSL is also still used by some websites.


If this is something you support, simply post supported and move on, instead of trying to derail my thread with semantics on whether my title should have read SSL or TLS since the terms are interchangeable with regards to the context I've posted. MY points still stand.


There you go, I've fixed the thread title. This is for us to save time and need not to debate about SSL vs TLS. However, a tech who endorses SSL 3.0 today should think about leaving the IT industry as she loses all the credibility security-wise.

Archaeox mentioned a Jmod post, however people are getting impatient - which is understandable given there is really a need for Jagex to communicate more publicly and more often.

24-Feb-2018 16:36:57 - Last edited on 24-Feb-2018 16:37:17 by Louiellen

Nawty Psycho
Sep Gold Premier Club Member 2017

Nawty Psycho

Posts: 614Steel Posts by user Forum Profile RuneMetrics Profile
Im Tiny said:
Louiellen said:
Every notable site will come to the point that they will have no choice, but to implement https everywhere. That is the direction where the industry is headed, there is no valid reason not to implement it. Those that cannot buy certificates due to financial constraints can use free certs from Let's encrypt.

I would not like to see the day comes that major browsers will mark Runescape with an ugly "insecure" icon. It will be a major turn-off and will further negatively lessen traffic towards Runescape.


Especially since Runescape is a massive target for phishing sites. The gold, even though a game item, it worth their time to steal and sell. Having this encryption would not only cut off their ability to spoof the website, it helps with loads of other security issues and ratings. Hope someone from Jagex can see this and suggest it to someone that can do something haha.


Phishing sites have TLS up page-wide usually. lol.
I don't trust easily, so when I tell you I trust you, don't make me regret it.

02-Mar-2018 10:44:38

Quick find code: 278-279-567-65990681Back to Top