Post Reply So when is Crunhyroll going to implement HTTPS??
14548 cr points
Send Message: Send PM GB Post
38 / M
Offline
Posted 11/4/17 , edited 17 days ago
Today's DNS hack just showed how vulnerable CR users are due to CR website lacking the most basic of security. It is NOT acceptable for a website today to be HTTP only. Just about everybody else, even Hulu who we like to make fun of, uses HTTPS and have been for many years now.

Seriously, what the hell??
18044 cr points
Send Message: Send PM GB Post
45 / M
Offline
Posted 11/4/17 , edited 3/3/18
I'm equally bothered by the lackluster post-action communications from all this. Okay great, it's DNS and my account info is okay, but when it's not do I need to expect the same limp response?
56036 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/4/17 , edited 11/5/17
Well, i think it would be good to implement https so there's no cookie hijacking or ability to study traffic by all the MITM, but I don't think it'll do too much more than that. The login auth is already https which is what most people would be worried about. I'm not saying not do it, but I'm just saying there's limited gain. For instance I'm not sure it would've helped with todays attack because the vector was cloud hosting.
16141 cr points
Send Message: Send PM GB Post
M / Bay Area, CA
Offline
Posted 11/5/17 , edited 4/7/18
There was an article on engadget about the attack. Not exactly the kind of attention you want for your site. Hopefully this most recent event will spur more attention to site security.
2020 cr points
Send Message: Send PM GB Post
23 / M
Offline
Posted 11/5/17 , edited 4/7/18
It's an issue they have been ignoring for years now.

Hopefully having the worst case scenario happen will kick them into gear, but don't hold your breath.
14548 cr points
Send Message: Send PM GB Post
38 / M
Offline
Posted 11/5/17 , edited 4/7/18
HTTPS would've helped with this incident because only the actual Crunchyroll.com would've been able to use the Crunchyroll SSL certificate. You would've only needed to look at the URL bar to know whether or not you were on the official Crunchyroll website.
exzain 
17348 cr points
Send Message: Send PM GB Post
40 / M
Offline
Posted 11/5/17 , edited 4/7/18
To be fair now that Hulu is secured and plays most but not all new titles and is secured..... maybe it is time to move away from a site that has been compromised and does not sure concern about securing their site.

BECAUSE IT ONLY TAKES ABOUT AN HOUR TO SET-UP A SSL FROM PURCHASE TO FULL INSTALLATION SO NOT HAVING ONE A DAY AFTER A MAJOR ATTACK IS NOT OKAY.
108964 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Online
Posted 11/5/17 , edited 11/5/17

kalirion wrote:

You would've only needed to look at the URL bar to know whether or not you were on the official Crunchyroll website.

What percentage of people that would run an unknown executable from a page that was so poorly worded would have done that?

56036 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/5/17 , edited 11/6/17

kalirion wrote:

HTTPS would've helped with this incident because only the actual Crunchyroll.com would've been able to use the Crunchyroll SSL certificate. You would've only needed to look at the URL bar to know whether or not you were on the official Crunchyroll website.


Not when you have control over one of the cloud layers/hosts. The same certs would be in use operating normally, but the attack would happen behind this layer.
14548 cr points
Send Message: Send PM GB Post
38 / M
Offline
Posted 11/5/17 , edited 11/6/17

phishcr wrote:


kalirion wrote:

HTTPS would've helped with this incident because only the actual Crunchyroll.com would've been able to use the Crunchyroll SSL certificate. You would've only needed to look at the URL bar to know whether or not you were on the official Crunchyroll website.


Not when you have control over one of the cloud layers/hosts. The same certs would be in use operating normally, but the attack would happen behind this layer.


IF you have control over the servers, yes. In this case, as I understand it, it was a simple DNS hijack where the hackers made the crunchyroll.com domain resolve to completely different IP address. Crunchyroll's servers themselves were never compromised, so the hackers would not have had access to CR's private certificates.
56036 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 11/6/17 , edited 11/6/17

kalirion wrote:


phishcr wrote:


kalirion wrote:

HTTPS would've helped with this incident because only the actual Crunchyroll.com would've been able to use the Crunchyroll SSL certificate. You would've only needed to look at the URL bar to know whether or not you were on the official Crunchyroll website.


Not when you have control over one of the cloud layers/hosts. The same certs would be in use operating normally, but the attack would happen behind this layer.


IF you have control over the servers, yes. In this case, as I understand it, it was a simple DNS hijack where the hackers made the crunchyroll.com domain resolve to completely different IP address. Crunchyroll's servers themselves were never compromised, so the hackers would not have had access to CR's private certificates.


Yes, it does read like that (they don't explicitly mention what happens on their report, but it does sound dns related... and then there's the german twitter tweets) - and according to their whois, their dns server is cloudflair. While cloudflair has dns services, their primary service is cached content though, and in this same account compromise it should've been possible to serve up their own content under the cloudflair ssl configuration. But you're right, if all they did was add one server to the round-robined dns list then https would've caught that. Have some internet cookies.

It's probably a bigger issue though that their account was compromised in the first place, though...
You must be logged in to post.