Curse

DoomFrost · May 08, 2009, 03:03 PM // 15:03

I have a program that stores my passwords, so it's just a simple copy + paste with my passwords and I'm in. Nothing to worry about for me.

I like this update anyways, makes it much easier to log in now.

Rift · May 08, 2009, 03:32 PM // 15:32

Wow.. so much mis-information about internet security in this thread.

At first glance this is a huge improvement on the security front. The old way had severe security issues, and it seems they've delt with them nicely.

Having a single sign-on and better integration with the game is definitly the way to go. I'm hoping they'll build on this vision for the future so we see more web integration and more Web 2.0 features in GW2.

Empress Amarox · May 08, 2009, 03:41 PM // 15:41

Quote:

Originally Posted by Lonesamurai

how about just not using it if your worried about it?

Kind of a big monetary loss every month, don't cha think?

Shadowfox1125 · May 08, 2009, 03:45 PM // 15:45

What was Anet's reasoning in changing this? Was there a problem with the previous method? I share your sentiments, Amarox.

BenjZee · May 08, 2009, 03:56 PM // 15:56

atleast i dont need to remember passwords for my:
NCSoft
GW
-XTH

i honestly don't mind...but what kinda worries me was i beleive you could veiw the source and see th details clearly visable.

Fril Estelin · May 08, 2009, 03:59 PM // 15:59

Quote:

Originally Posted by SmithyBen

you could veiw the source and see th details clearly visable.

Even with that, you'd need some kind of man-in-the-middle attack to snoop the information. he webpage you see is only sent from the server to your computer, no one else normally can see it.

Anyway, this is no longer the case when I checked.

nkuvu · May 08, 2009, 04:18 PM // 16:18

Quote:

Originally Posted by kunt0r

just as much as any other game or bank provides

If this is the limit of security at your bank, that's pretty sad.

I'm not saying that the XTH needs to be as secure as a bank account, but there are a whole lot of things that a bank should be doing to ensure security (things like two stage logins, security questions, whitelisting specific computers for login, and so on).

Quote:

Originally Posted by Rift

Wow.. so much mis-information about internet security in this thread.

Such as?

deyond driven · May 08, 2009, 04:22 PM // 16:22

Im not worried about this one bit

Longasc · May 08, 2009, 04:33 PM // 16:33

Quote:

Originally Posted by Fril Estelin

It is a very good thing, not in itself, but with the added security of the XTH. They're putting back the security of your account in your hands, rather than asking you to create a new account (I mean XTH account vs. GW account). Technically speaking, we call that "minimizing the security surface".

They just made the GW account and the XTH account the very same.

How did this "minimize" or reduce the security surface, people now can attack your account over the browser, too.

Empress Amarox · May 08, 2009, 04:42 PM // 16:42

Quote:

Originally Posted by Fril Estelin

Even with that, you'd need some kind of man-in-the-middle attack to snoop the information. the webpage you see is only sent from the server to your computer, no one else normally can see it.

Anyway, this is no longer the case when I checked.

Pretty sure that's not how the internet technically works.

My understand it's something a bit like this:

The way the internet works isn't your computer and the server directly connected, but when you send information it has to jump through several hubs before it gets to the server and back (that's the entire reason it works in the first place) and what I'm worried about isn't so much something from MY PC -> GW SERVER, it's the "->" and "<-" that I'm worried about.

Someone intercepting the packets during the trip from one destination to the other.

I know similar is possible because the devs for a project called L2J rip packets from Lineage II, crack them and then do whatever it is they do to copy their work without technically "copying" it. Really underhanded and shady, but technically legal in my understanding? Anywho, beyond the point...

The point is, the website has proved to be less secure than the GW client in the past, and I don't see why we should now suddenly have a profound trust for it when after all of this time it has not only been a potential danger, but even recommended against by the company itself.

To illustrate the jumps, here's a traceroute to the GW server I'm connected to right now:

Code:

TraceRoute to 216.107.245.97 [216-107-245-97.plaync.com]
Hop	(ms)	(ms)	(ms)		IP Address	Host name
1	11	6	9		72.249.0.65	-
2	8	6	14		8.9.232.73	xe-5-3-0.edge3.dallas1.level3.net
3	18	15	26		4.68.19.76	ae-2-79.edge2.dallas3.level3.net
4	23	13	14		4.68.111.174	-
5	9	17	14		152.63.96.182	0.ge-2-0-0.xl3.dfw7.alter.net
6	50	53	61		152.63.57.73	0.so-4-0-0.xl1.lax1.alter.net
7	73	67	54		152.63.53.57	pos6-0.gw4.lax1.alter.net

And here is to the GW website:

Code:

TraceRoute to 206.127.153.151 [www.guildwars.com]
Hop	(ms)	(ms)	(ms)		IP Address	Host name
1	17	14	13		72.249.0.65	-
2	10	7	7		8.9.232.73	xe-5-3-0.edge3.dallas1.level3.net
3	12	16	10		4.68.19.204	ae-4-99.edge2.dallas3.level3.net
4	10	13	20		4.68.111.174	-
5	20	19	13		152.63.96.86	0.ge-1-1-0.xl4.dfw7.alter.net
6	55	47	50		152.63.32.66	0.so-5-0-0.xl2.tco4.alter.net
7	51	49	46		152.63.35.69	pos7-0.gw3.tco4.alter.net

That's from http://network-tools.com/ -- my personal one's 9 jumps.

Anyways, that's just my understanding. I'm by no means an expert.

It doesn't so much worry me that there are jumps in between, because there are of course the same amount of jumps in between for both. What worries me is that where as originally we were only entering our information on GW, now we are entering it on a web browser as well and thus subjecting ourselves to possibilities web vulnerabilities, and you'd have to just be naive to think those don't exist. I mean, just look at Firefox's security updates, that alone should prove my point. We may not know of them, but they're definitely there. It's an added risk that makes me feel my account is now less secure than it was before.

The Little Viking · May 08, 2009, 05:02 PM // 17:02

Always from day one we have been told to not use the same password for all log in crap. Always saying never give your password for the game. Even have a "be safe" warning on the log in screen sometimes. NOW all the sudden they want us to use our log in name and password for just about everything..Well maybe not everything...but its beginning to seem like it. I dont like it at all. So much for account safety. I dont care how secure the site is suppose to be, things happen that are unexpected. I dont believe its a good thing they did here.

zwei2stein · May 08, 2009, 05:08 PM // 17:08

Quote:

Originally Posted by Fril Estelin

Even with that, you'd need some kind of man-in-the-middle attack to snoop the information. he webpage you see is only sent from the server to your computer, no one else normally can see it.

Anyway, this is no longer the case when I checked.

Regardless of main-in-middle (which is not ruled out by encryption), it also opened gates for XSS attacks (supplying links to original website which can modify webpage for person clicking that link and to a lot of nasty stuff with javascript, nasty stuff)

And impostors - if before "log in here to get gw2 beta" or "give here your login details for 100k" was clear scam that caught stupid and greedy, modifying xth wiki article to link to rip of version of XTH is not easily detected and can have much worse impact. People could check https cert info or url, but thats not how real world works.

We were solving similar issues at my job. We ended up separating employee accounts to "critical business" (financial oprations, only) and "everything else" (email, intranet, computer, anythink that we can afford to give access to random stranger for 10 minutes without causing too much trouble) )

Hyaon · May 08, 2009, 05:12 PM // 17:12

Would like to have the option to do it the old way tbh...name and pw on that is totally different to account, I didnt feel worried at all but now I do :/

Ġ ō Đ¹ · May 08, 2009, 05:14 PM // 17:14

if your worried about your web security just set up a virtual PC with some AV Firewall and only go to GuilWars.com (google chrome of course

)lol would probably be safe

Rift · May 08, 2009, 05:19 PM // 17:19

Quote:

Originally Posted by nkuvu

Such as?

- That the old authentication system was safer than this one

- That using credentials linked to your game account will make it easier (than it used to be) for hackers to gain access to your account

- That people will sniff out your packets and obtain your credentials over SSL

People need to understand that these are not how hackers gain access to your account through the web. What people should be worried about are things like Cross-Site Scripting flaws, Cross-Site Forgery flaws, Virus/Trojans/Keyloggers, Phishing, and Password sharing. And as others have mentioned, this update does address some critical flaws the old XTH used to expose, which in turn improved the overall security of the site.

Inde · May 08, 2009, 05:34 PM // 17:34

Quote:

Originally Posted by The Little Viking

Always from day one we have been told to not use the same password for all log in crap. Always saying never give your password for the game. Even have a "be safe" warning on the log in screen sometimes. NOW all the sudden they want us to use our log in name and password for just about everything..Well maybe not everything...but its beginning to seem like it. I dont like it at all. So much for account safety. I dont care how secure the site is suppose to be, things happen that are unexpected. I dont believe its a good thing they did here.

LOL, okay Viking has a bit of a point here. For months it was proclaimed/announced/warnings/notices NOT to use your same GW login for the XTH voting. And now Anet spins it in a "Wow! We upgraded! You can use your same GW login!" I mean, the new site is much better security wise, got rid of some security flaws and your information is better protected... but the irony of it all. I can see how some users might be suspicious or confused with the back pedaling.

I do have to say though that it is nice. I like this format a lot better. Props to the people who revamped it.

Chico · May 08, 2009, 05:35 PM // 17:35

It sure feels less secure. People could brute-force game accounts in the website. Validate accounts without logging into the game. Site is susceptible to phishing attacks, etc. It *felt* more secure having individual accounts (maybe just an illusion anyway).

nkuvu · May 08, 2009, 05:39 PM // 17:39

Quote:

Originally Posted by Rift

- That the old authentication system was safer than this one

With the old system, you log into the XTH with an email address that can be changed. I could set my XTH login to [email protected] provided that I could get email there. Even if my actual game login is [email protected]. I could also set it to use any password I like. I could have the password to my XTH account as "topsecret" without having any potential compromise of my actual game account.

Disassociating the XTH account from the actual game account does seem safer to me. Are you saying it isn't? Do you use one login/password pair for every site you visit? If not, why not?

Quote:

- That using credentials linked to your game account will make it easier (than it used to be) for hackers to gain access to your account

How many tools are there to attempt to break into a web page, and how many are geared specifically to logging into Guild Wars?

Quote:

- That people will sniff out your packets and obtain your credentials over SSL

I agree that this is unlikely.

Quote:

People need to understand that these are not how hackers gain access to your account through the web. What people should be worried about are things like Cross-Site Scripting flaws, Cross-Site Forgery flaws, Virus/Trojans/Keyloggers, Phishing, and Password sharing. And as others have mentioned, this update does address some critical flaws the old XTH used to expose, which in turn improved the overall security of the site.

How does this update address any of those things?

Fril Estelin · May 08, 2009, 05:49 PM // 17:49

Quote:

Originally Posted by zwei2stein

We were solving similar issues at my job. We ended up separating employee accounts to "critical business" (financial oprations, only) and "everything else" (email, intranet, computer, anythink that we can afford to give access to random stranger for 10 minutes without causing too much trouble) )

XSS doesn't look like a problem to me, if you don't have incompetent website people (hello McAfee). The only real problem IMHO is the total lack of communication with this. Indeed phishing could be a huge problem in a heterogeneous environment, only corrected with user training and guiding instructions on the website.

I'm convinced that the attack surface was higher before, not because of application exposure, but because of exposure to social engineering via complexity. Add an account and you're pushing people to reuse passwords, which is apparently what happened (cf. Regina).

I can perfectly understand that people are worried, as I said it's not completely irrational. Some will not do anything by default here and wait to hear people saying it's ok. I'll do the contrary and continue using it, with caution, until I hear otherwise. I don't believe Anet would make such a move and not think of the holistic security. (but I can't understand that Regina and Martin are not all over the place on this)

Alleji · May 08, 2009, 05:49 PM // 17:49

I like it. It's convenient.

I also like the interface improvements.

However, on the importance scale this is very, very low. I don't understand why anet manages their manpower the way they do... it probably took a designer and a programmer at least a day whole to redo the thing. Couldn't they have done something about fixing the game instead?