Post Reply Please make CrunchyRoll https...
5025 cr points
Send Message: Send PM GB Post
25 / M
Offline
Posted 4/7/16
Please, CrunchyRoll gods?
Can we please get this whole site https?
2240 cr points
Send Message: Send PM GB Post
M / Canada
Offline
Posted 4/8/16 , edited 4/8/16
I didn't notice that it wasn't but it's definitely a must for a website such as this one.
10015 cr points
Send Message: Send PM GB Post
Offline
Posted 4/10/16
I can say that anything in your subscription profile appears to be encrypted using a GoDaddy certificate. As long as everything, such as credit cards or account authentication, is encrypted there shouldn't be any problem. See any areas that are like that aren't encrypted?
1310 cr points
Send Message: Send PM GB Post
28 / M / Austria
Offline
Posted 4/11/16
Yes, I think most sites will (have to) make the switch from Flash to HTML5 and from http to https in the next few years, especially as Google, Mozilla et al. could drop support for insecure plugins and connections in their browsers moreless at any time, so Crunchyroll should consider making that switch as soon as possible too.
Though I guess the CR staff is well aware of this and already working on it. At least the HTML5 Manga viewer (though apparently still in beta) is already a step in the right direction.
5025 cr points
Send Message: Send PM GB Post
25 / M
Offline
Posted 4/11/16 , edited 4/11/16
Flash is already dead. HTML5 is the way to go.
And as Edward Snowden said, (paraphrasing) Encryption will save us all!

EDIT: That being said. I understand the limitations of HTTPS for sites with high-volumes of web traffic will cause performance bottlenecking. So I'm not a 100% critic.. but knowing that my activity on this site won't be tracked by 3rd parties would be nice
5005 cr points
Send Message: Send PM GB Post
M
Offline
Posted 5/7/16
I'd also like to see CR go full HTTPS.


MasterKronus wrote:

I can say that anything in your subscription profile appears to be encrypted using a GoDaddy certificate. As long as everything, such as credit cards or account authentication, is encrypted there shouldn't be any problem. See any areas that are like that aren't encrypted?


That keeps that information secure in transit. However, whenever you visit a non-http page you're still sending a session id in the clear. This can be used to assume the logged in status of someone and poke around their account: shipping addresses, order history, watch history, some devices you own, partial information about payment methods, and anything else that you can do on your account without re-entering your password. The session id lives for a relatively long time as well, allowing plenty of time for this to occur.

As for performance bottlenecks, that's largely myth from people that misunderstand how https works. I can't say I've ever run a streaming service using https, but the overhead is grossly exaggerated in other domains.

If I had to guess there probably just isn't enough pressure from customers/competitors to make it a priority. I would like to point out that the privacy policy's section on security says they place 'commercially reasonable' safeguards. One would hope that using a standard web encryption protocol such as https falls under 'commercially reasonable'.
18109 cr points
Send Message: Send PM GB Post
21 / F / United States
Offline
Posted 5/7/16 , edited 5/7/16
Hello I was looking at ssl on your website and decided to test it on well known website called ssllabs.com for testing ssl security. It was graded a C and vulnerable to the poodle attack. I will not buy anything on this website till near future until crunchyroll has patched the ssl hack named poodle. I do not want my card being stolen and such.

Results Evidence:
"https://www.ssllabs.com/ssltest/analyze.html?d=crunchyroll.com&s=190.93.240.175&latest"
"https://www.ssllabs.com/ssltest/analyze.html?d=crunchyroll.com&s=141.101.123.175"
The Wise Wizard
99929 cr points
Send Message: Send PM GB Post
56 / M / U.S.A. (mid-south)
Online
Posted 5/8/16

NarutoUzumakiHokage42 wrote:

It was graded a C and vulnerable to the poodle attack. I will not buy anything on this website till near future until crunchyroll has patched the ssl hack named poodle. I do not want my card being stolen and such.

POODLE is a man-in-the-middle exploit. As such, it is normally only a concern if you were on a public network, such as the WiFi at a coffee shop.

The original exploit also depends on SSL 3.0, which has been disabled as of Chrome 40 (released back in January) and Firefox 34 (December 2014).

There is a newer exploit that can be used against TLS, but only those that have an implementation that doesn't validate padding per the spec, and SSL Labs specifically lists that CR is not vulnerable to that variation.


tl;dr version: SSL Labs will list any site that still supports SSL 3 as vulnerable, but you are not vulnerable if you are using a good up to date browser.

You must be logged in to post.