First  Prev  1  2  Next  Last
Post Reply Please make CrunchyRoll https...
5027 cr points
Send Message: Send PM GB Post
27 / M
Offline
Posted 4/7/16 , edited 5 days ago
Please, CrunchyRoll gods?
Can we please get this whole site https?
6336 cr points
Send Message: Send PM GB Post
M / Canada
Offline
Posted 4/8/16 , edited 11 days ago
I didn't notice that it wasn't but it's definitely a must for a website such as this one.
27015 cr points
Send Message: Send PM GB Post
Offline
Posted 4/10/16 , edited 3/21/18
I can say that anything in your subscription profile appears to be encrypted using a GoDaddy certificate. As long as everything, such as credit cards or account authentication, is encrypted there shouldn't be any problem. See any areas that are like that aren't encrypted?
1330 cr points
Send Message: Send PM GB Post
30 / M / Austria
Offline
Posted 4/11/16 , edited 4/11/16
Yes, I think most sites will (have to) make the switch from Flash to HTML5 and from http to https in the next few years, especially as Google, Mozilla et al. could drop support for insecure plugins and connections in their browsers moreless at any time, so Crunchyroll should consider making that switch as soon as possible too.
Though I guess the CR staff is well aware of this and already working on it. At least the HTML5 Manga viewer (though apparently still in beta) is already a step in the right direction.
5027 cr points
Send Message: Send PM GB Post
27 / M
Offline
Posted 4/11/16 , edited 4/12/16
Flash is already dead. HTML5 is the way to go.
And as Edward Snowden said, (paraphrasing) Encryption will save us all!

EDIT: That being said. I understand the limitations of HTTPS for sites with high-volumes of web traffic will cause performance bottlenecking. So I'm not a 100% critic.. but knowing that my activity on this site won't be tracked by 3rd parties would be nice
5005 cr points
Send Message: Send PM GB Post
M
Offline
Posted 5/7/16 , edited 4/7/18
I'd also like to see CR go full HTTPS.


MasterKronus wrote:

I can say that anything in your subscription profile appears to be encrypted using a GoDaddy certificate. As long as everything, such as credit cards or account authentication, is encrypted there shouldn't be any problem. See any areas that are like that aren't encrypted?


That keeps that information secure in transit. However, whenever you visit a non-http page you're still sending a session id in the clear. This can be used to assume the logged in status of someone and poke around their account: shipping addresses, order history, watch history, some devices you own, partial information about payment methods, and anything else that you can do on your account without re-entering your password. The session id lives for a relatively long time as well, allowing plenty of time for this to occur.

As for performance bottlenecks, that's largely myth from people that misunderstand how https works. I can't say I've ever run a streaming service using https, but the overhead is grossly exaggerated in other domains.

If I had to guess there probably just isn't enough pressure from customers/competitors to make it a priority. I would like to point out that the privacy policy's section on security says they place 'commercially reasonable' safeguards. One would hope that using a standard web encryption protocol such as https falls under 'commercially reasonable'.
19148 cr points
Send Message: Send PM GB Post
22 / F / United States
Offline
Posted 5/7/16 , edited 5/8/16
Hello I was looking at ssl on your website and decided to test it on well known website called ssllabs.com for testing ssl security. It was graded a C and vulnerable to the poodle attack. I will not buy anything on this website till near future until crunchyroll has patched the ssl hack named poodle. I do not want my card being stolen and such.

Results Evidence:
"https://www.ssllabs.com/ssltest/analyze.html?d=crunchyroll.com&s=190.93.240.175&latest"
"https://www.ssllabs.com/ssltest/analyze.html?d=crunchyroll.com&s=141.101.123.175"
108970 cr points
Send Message: Send PM GB Post
57 / M / U.S.A. (mid-south)
Offline
Posted 5/8/16 , edited 10/24/17

NarutoUzumakiHokage42 wrote:

It was graded a C and vulnerable to the poodle attack. I will not buy anything on this website till near future until crunchyroll has patched the ssl hack named poodle. I do not want my card being stolen and such.

POODLE is a man-in-the-middle exploit. As such, it is normally only a concern if you were on a public network, such as the WiFi at a coffee shop.

The original exploit also depends on SSL 3.0, which has been disabled as of Chrome 40 (released back in January) and Firefox 34 (December 2014).

There is a newer exploit that can be used against TLS, but only those that have an implementation that doesn't validate padding per the spec, and SSL Labs specifically lists that CR is not vulnerable to that variation.


tl;dr version: SSL Labs will list any site that still supports SSL 3 as vulnerable, but you are not vulnerable if you are using a good up to date browser.

JPL17 
13022 cr points
Send Message: Send PM GB Post
Offline
Posted 4/13/18 , edited 4/13/18
Bump, its 2018 and the fact that these unsecure practices are easily used for even crypto mining off users cpus while streaming is also a loop hole. I'd like to keep my cpu resources for myself only. please update the site.
320 cr points
Send Message: Send PM GB Post
19 / F / pink clouds
Offline
Posted 4/13/18 , edited 4/13/18
SSL graded as C
"This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C."

even though most browsers don't even support ssl3, it's a good practice to disable it in server settings.

Easy fix would be:

grep -r ssl_protocol /etc/nginx

and using the following:


ssl_protocols TLSv1.2 TLSv1.1 TLSv1;


also main configuration file should be set like this, this should force https on all pages.


server {
listen 80;
listen [::]:80;
listen 443 default_server ssl;

server_name http://www.crunchyroll.com;

ssl_certificate /path/to_cert;
ssl_certificate_key /path_key;

if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
}


entire website SHOULD be in SSL, not only the checkout page.
30 cr points
Send Message: Send PM GB Post
38 / O
Offline
Posted 4/13/18 , edited 4/16/18
Actually what should be a very strong reason for Crunchyroll is the various search engines (Google, Yahoo, DuckDuckGo, etc) have been ranking TLS sites noticeably higher than non-TLS sites. I'm unsure how large the boost is, but there is one. Within the year the stable versions of browsers (notably Chrome and Firefox) plan to mark all non-TLS sites as "insecure" irregardless or whether or not they include form submissions. As such this is a distinctly worrisome issue.

Interestingly, Crunchyroll has clearly been working on this issue some. Ever tried visiting https://www.crunchyroll.com/ instead of http://www.crunchyroll.com/? Turns out most of Crunchyroll's pages are available via TLS. Unfortunately most of those are merely redirects to the non-TLS versions of pages, but a noticeable number are available pure-TLS. For instance https://www.crunchyroll.com/lineup is a redirect to the non-TLS page; but the pages for individual anime titles (for instance https://www.crunchyroll.com/haibane-renmei) are TLS.

Getting this finished soon would be good.


Hrmm, the fun of mistyping URLs, corrected. As a rather noticeable number of large US ISPs are now known to be monitoring traffic, it really would be nice to get this done since I prefer not to tell others about what I choose to examine online.
19148 cr points
Send Message: Send PM GB Post
22 / F / United States
Offline
Posted 4/17/18 , edited 4/17/18
@toDragon That's often a misconception that ssl improves your site ranking. What really improves your site rank is backlinks google it if you don't know what I mean. Aside from that it's been two years and they haven't even bothered to improve the security for the website especially since they have a payment system. Did you know that crunchyroll uses a shared web hosting plan with godaddy. If you were with crunchyroll before they had cloudflare you would know this. I found out using couple methods not going to share for obvious reasons. Honestly I believe they should implement ssl site wide and fix the poodle vulnerability already it's not that hard and only takes like 3 minutes to do so.

Link: http://prntscr.com/j6cg1u

Link (Evidence): https://securityheaders.com/?q=https%3A%2F%2Fcrunchyroll.com&followRedirects=on
16010 cr points
Send Message: Send PM GB Post
32 / M
Offline
Posted 6/30/18 , edited 7/1/18

NarutoUzumakiHokage42 wrote:

@toDragon That's often a misconception that ssl improves your site ranking.


At least for Google, using HTTP directly affects your ranking. For example, see this Google Webmaster blog post from way back in 2014.

9046 cr points
Send Message: Send PM GB Post
Canada
Offline
Posted 25 days ago , edited 25 days ago
Looks like the upcoming version of Chrome will mark all HTTP sites as not secure, so CR should hasten HTTPS adoption if it does not want the site looking like this:

6392 cr points
Send Message: Send PM GB Post
29 / F
Offline
Posted 25 days ago , edited 25 days ago
I am curious what is the reason that Crunchyroll has yet to switch to https: considering the years the site has been on the internet.

That will be good to hear from the founder or any of the moderators who may have information on this question.
First  Prev  1  2  Next  Last
You must be logged in to post.