First  Prev  1  2  Next  Last
Post Reply Should Crunchyroll Have HTTPS enabled by default?
16759 cr points
Send Message: Send PM GB Post
Hoosierville
Offline
Posted 7/25/16

MyGFPushedMeOffACliff wrote:

Well, for premium members our credit card information might be at risk, though I think you can use Paypal and Paypal uses SSL anyway.

Still, there's no such thing as too much security. While I can understand from a business perspective why it may be considered too much to pay for an SSL certificate, the fact is that if people actually are using their credit cards to pay for subscriptions, et cetera, then Crunchyroll is required by law to furnish adequate security for the transfer and storage of this information. Of course, no one's really going to bother them if they choose not to... at least until there's a breach, at which point Crunchyroll and/or the webhost company that maintains the site and the prerequisite infrastructure is going to take it up the ass, hard. Seriously FISA fines are net-worth killers for all but the largest of corporations, which means CR would go bankrupt for sure.

I used to work in a datacenter that was both HIPPA and FISA compliant (Healthcare Information and Patient Protection Act and the Financial Information Security Act, in case you were wondering - they're both federal laws that dictate security standards for health records and financial information, respectively), and we were told, under no uncertain terms, that if we were found to be responsible for a HIPPA or FISA breach, whether intentional or through negligence of security practices, not only would we be fired but we'd likely never work in IT again. When I asked why such a threat was necessary, the guy told me that even one breach could pretty much bankrupt the company in a worst-case scenario.


They are using https on the account info and membership info area... Areyou trying to say its nonfunctional or did you not check?
1150 cr points
Send Message: Send PM GB Post
16 / M
Offline
Posted 7/25/16 , edited 7/30/16

Hrafna wrote:

Hrafna: "Crunchyroll is unwilling to pay for a certificate. Because, Crunchyroll considers SSL vulnerable."
Radraymond01: "But SSL isn't vulnerable."
Hrafna: "Tell that to Crunchyroll's administrators."
Radraymond01: "I seem to be lost in this conversation."

SSL and TSL are interchangeable terms, as one precedes the other. It's like referring to "Diablo 3" as "Diablo" and have someone walk up to you and say "No-no, it's called Diablo 3". We are fully aware of that, thank you. The obvious is obvious.

I've told you not to go to me with it, but to go to Crunchyroll's administrators with it, yet you continue to talk to me with it, as if I didn't already know. But, how can I help you? Did you get the premise of my point confused due to how I phrased my first post? Or, was it something else? What is it exactly that you fail to comprehend? What is it exactly that I fail to convey? Or, did you just want to chit-chat? We might be better off chit-chatting in Chit Chat, if that's the case.


I feel your metaphor here is somewhat unfitting, as TLS is say more like a patch to diablo, than a whole new game as TLS is more of a patch to the protocol, and it's not like the technology radically changed between SSL v3 and TLS, and it's not like an SSL certificate doesn't allow you to use it with TLS.
16035 cr points
Send Message: Send PM GB Post
22 / M / Florida
Offline
Posted 7/25/16
I personally think it should be, and they don't even need to pay for it thanks to CA's like Let's Encrypt <https://letsencrypt.org/>.
Posted 7/25/16 , edited 7/25/16

Radraymond01 wrote:

I feel your metaphor here is somewhat unfitting

Yes, because it is. Again, thank you for pointing out the obvious.
1150 cr points
Send Message: Send PM GB Post
16 / M
Offline
Posted 7/25/16

Hrafna wrote:


Radraymond01 wrote:

I feel your metaphor here is somewhat unfitting

Yes, because it is. Again, thank you for pointing out the obvious.


This is going nowhere, isn't it.
Posted 7/25/16
I sure hope not.

'cause it feels less like



and more like



if you know what I mean?
3255 cr points
Send Message: Send PM GB Post
25 / M / Cheyenne, WY
Offline
Posted 7/26/16

Rujikin wrote:



They are using https on the account info and membership info area... Areyou trying to say its nonfunctional or did you not check?


If they're using it for membership info then that's news to me... then again I've had my subscription on auto-renew since the beginning of the year.
173 cr points
Send Message: Send PM GB Post
21 / M
Offline
Posted 7/26/16
yes i do think so you can never have enough security online and being how this is a very popular site it should
23186 cr points
Send Message: Send PM GB Post
24 / M
Offline
Posted 7/26/16
Two things:

One, CR is using HTTPS when it is required to do; transactions through the store, logging into the website, etc. Your login information is safe as long as the protocol switch happens before the user logs in (which is happening). This remains true when entering any personal information used to purchase goods that CR provides. As a user, it would be wise to log out and relog in after you are done buying any goods to terminate the connection and relog back in to get a new id if you wish to continue to use CR services (like watching shows or reading manga), but not necessarily required.

Two, CR offers a web broswer flash-based video player service. Forcing everything to be HTTPS might make things more secure from people "peeking in" on your exclusive cast, but it would make things slower since the connection type would change to TCP.

Anyway, unless you stay logged in for extended periods of time after making purchases, switching to an all HTTPS site would hurt the users more than a possible intercept which might allow someone to buy goods under their account.
13652 cr points
Send Message: Send PM GB Post
こ ~ じ ~ か
Offline
Posted 7/30/16

Hrafna wrote:


burr789 wrote:

Should Crunchyroll pay for a certificate and change the protocol of their links from http:// to https://, to avoid a "man-in-the-middle" from sniffing packets sent across the protocol, which could result in our session/cookie IDs being stolen, thus allow the "man-in-the-middle" access to whatever account whose session/cookie ID they stole, on which they could potentially purchase merchandise were our credit information exposed?


Fixed.

This question have been shut down by admins before. CR is unwilling to pay for a certificate now that SSL is vulnerable.


You mean the one they already have and use?
First  Prev  1  2  Next  Last
You must be logged in to post.