Gaia online now unsecured???

**granturismo** · 01 Jun. 2011 03:51pm

I'm on gaiaonline right now and i keep refreshing my internet browser and move to different parts of the site and apparently i keep still getting the slash throught the HTTPS. and the lock before it has an x on it.

go to this link for a picture of it.

http://tinypic.com/r/330bk39/7

**Personoid** · 01 Jun. 2011 03:53pm

I don't remember Gaia ever fully supporting HTTPS.

**granturismo** · 01 Jun. 2011 03:56pm

well they did it just looks like a regular HTTPs with nothing going through it or the lock saying secured website but the regular sites have just HTTP thats it but gaia right now has a slash through it and may be a breaking point for us to steal some stuff from it like account info or some other crap like that.

**Personoid** · 01 Jun. 2011 04:39pm

I'm pretty sure the only way that makes a difference is if you can intercept someone logging into Gaia. Like Firesheep or whatever.

I thought so. It's never fully supported https. None of the links on the page are loaded via HTTPS. Clicking on any link will take you back to http://whatever vs https://whatever.

**granturismo** · 01 Jun. 2011 04:56pm

true but it was regularly not like this like it is now.

**Personoid** · 01 Jun. 2011 04:57pm

When you visit Gaia normally, it doesn't load with HTTPS.
i.e. Typing "gaiaonline.com" into the address bar doesn't result in https://www.gaiaonline.com/ . It's just http://www.gaiaonline.com

**Artificial** · 02 Jun. 2011 02:58am

The most likely scenario is that they're attempting to load a non-secure image/css/js file. i.e. from https:// they're attempting to load a resource using the http:// protocol. I guess, technically, it is a bit of a concern, as someone monitoring your network would be able to retrieve the session id stored in a cookie sent with the request. However, I would be very surprised if the login system system went from https -> http, so your username and password should be safe.

It's only really an issue if you're on an open or insecure network.

**Personoid** · 02 Jun. 2011 04:01pm

Originally Posted by Artificial

The most likely scenario is that they're attempting to load a non-secure image/css/js file. i.e. from https:// they're attempting to load a resource using the http:// protocol. I guess, technically, it is a bit of a concern, as someone monitoring your network would be able to retrieve the session id stored in a cookie sent with the request. However, I would be very surprised if the login system system went from https -> http, so your username and password should be safe.

It's only really an issue if you're on an open or insecure network.

https://gaiaonline.com/auth/login actually does contain a form that submits to http://gaiaonline.com/auth/login and all links on pages loaded with https:// actually lead to unsecured pages.

**granturismo** · 02 Jun. 2011 04:08pm

agreed but lets find out why xD

**Personoid** · 02 Jun. 2011 04:48pm

Originally Posted by granturismo

agreed but lets find out why xD

The reason is that Gaia never set it up for HTTPS properly. It's been this way for ages.
When you run a website, if you want to support people connecting via HTTPS, you have to set it up for that.

**granturismo** · 02 Jun. 2011 04:50pm

ohh so thats why its so easy to hack them xD

**Personoid** · 02 Jun. 2011 04:59pm

Originally Posted by granturismo

ohh so thats why its so easy to hack them xD

No, the only way you can hack someone because of this is via Man-in-the-middle attack - Wikipedia, the free encyclopedia.

Thread: Gaia online now unsecured???

LinkBack

Thread Tools

Search Thread

Rate This Thread

Display

Gaia online now unsecured???

Posting Permissions