DCS website is http only.

I was going to buy a module this afternoon and I noticed that the http://www.digitalcombatsimulator.com website is not secured with https, I never went through with the purchase so it maybe does change to https after the checkout stage as I did go as far as the checkout but it remained http only, however the thing is, all of our information and most importantly our game keys are out there for anyone who can get/hack into the server, personally I think our game keys should be protected just like credit card info, personally I think the dcs website should be https from when you sign in especially since transactions take place and our keys are on show.

Is this something that we should be worried about and does buying modules also just use http instead of https ?

Any info would be good to hear as it is kinda disconcerting to know that their is no secure connection between user/buyer and the server itself.

Enter it manualy and it will work:

https://www.digitalcombatsimulator.com/en/

Going to e-shop via pure http does not switch to https however, neither does logging in and viewing previous orders - including already bought serial keys!

Thanks for that tip shade.

Already reported:

Suggestion:

I'm a bit concerned regarding the security of the website (and the forum). As our account is linked to our modules serial numbers and bank datas, the process of login into the site seems quite dangerous. Isn't it possible to crypt (SSL/TLS) the accesses to the site? Or to create an encrypted version of what is in the e-shop and serials managements part of the site?

An un-encrypted site, as it is now, is a major threat for all the customers.

In this thread, Post #87

Sorry I didn't notice it, however I do agree with everything you say.

It should automatically be https as soon as you sign in and you shouldnt have to type the https manually for it to work.

Thats my take on it.

Cool, thanks Const for your feedback.

Couldn't it be set to use SSL before authorization? Otherwise we still have to send our login details unencrypted, so anyone who's able to intercept traffic can just login using those and then access our information.

[...] all of our information and most importantly our game keys are out there for anyone who can get/hack into the server [...]

You're right of course that the server should use Transport Layer Security encryption.

I'd just like to point out that encrypting the traffic between our browsers and the webserver does not encrypt the data on the server. On the server, this data might be stored without encryption, meaning that anyone who breaks into the server could still steal it by accessing the data right where it's stored.

(Or maybe it is already stored with encryption - from the outside, we can't tell.)

Transport encryption defends against the infamous "Man in the middle", which could be anyone with access to the Internet traffic: Friends and family members within your local area network, anyone who hacked into said network, your Internet Service Provider, and anyone between your ISP and the server (including neighboring servers, in case the server hoster has a bad network setup). Oh, and law enforcement agencies and intelligence services like to reserve the right to intercept just about anything anywhere.

So, the point is: Transport encryption defends against this "Man in the middle", but it does not mean that the data is actually stored with any kind of encryption on the server (nor does it indicate the contrary - transport encryption and storage encryption are simply two entirely different and independent things).

Couldn't it be set to use SSL before authorization? Otherwise we still have to send our login details unencrypted, so anyone who's able to intercept traffic can just login using those and then access our information.

No worries. If you look at the Login form, the form may come from an unencrypted connection (http://www.digitalcombatsimulator.com/en/), but the data is always sent to the encrypted site (https://www.digitalcombatsimulator.com/en/auth/).

It's just a wording issue, I guess: The site does not switch to encryption after authentication, it does so for authentication.

Anyone interested in the details, look at the DCS site's page source, locate the login form and look at the "action" attribute (simplified here):

<form method="post" action="[b]https[/b]://www.digitalcombatsimulator.com/en/auth/">
<!-- the form stuff -->
</form>

tl;dr: All is okay. :)

No worries. If you look at the Login form, the form may come from an unencrypted connection (http://www.digitalcombatsimulator.com/en/), but the data is always sent to the encrypted site (https://www.digitalcombatsimulator.com/en/auth/).

 

It's just a wording issue, I guess: The site does not switch to encryption after authentication, it does so for authentication.

 

Anyone interested in the details, look at the DCS site's page source, locate the login form and look at the "action" attribute (simplified here):

 

<form method="post" action="[b]https[/b]://www.digitalcombatsimulator.com/en/auth/">
<!-- the form stuff -->
</form>

tl;dr: All is okay. :)

Phew, thanks Yurgon that's a relief :)

Hopefully our data is stored encrypted as well but maybe a MITM attack is more of a risk than someone breaking into the server. Depends how secure the server authentication method is though.

Phew, thanks Yurgon that's a relief :)

 

Hopefully our data is stored encrypted as well but maybe a MITM attack is more of a risk than someone breaking into the server. Depends how secure the server authentication method is though.

From what I read, the server uses TLS 1.2 protocol with AES256 - SHA1 encryption and ECDHE (RSA) for the key exchange.

I let you google that by yourself to find out the meaning ;)