Hello,

the main page of TSO is http://www.thesettlersonline.com . This page allows to login to the game. Because there is Uplay account used to login, I would like to ask you for change the main page to https protocol. It is necessarry to keep our Uplay accounts more safe.

Thanks.

Hello,

Bluebyte people, can you check this please? http://forum.thesettlersonline.com/threads/30485-https . Thanks.

Threads merged: "https", "https? Someone? Anyone?"

Hello mrfatalerror,

Don't worry, your uplay account should be safe.
The homepage builds an encrypted tunnel (an https connection so to speak) with the uplay authentication servers, before sending your login details.

If you look at the homepage while you are not yet logged in you will see:
http://i.imgur.com/8y9HL50.png
When you click on that link you will see a short description of the method used to log in.

For more information you could contact Support, and hopefully they will be able to provide the details you are looking for.
You can contact Support using the contact form on this page (http://www.thesettlersonline.com/en/help-and-support)

It seems fine. Ok, thank you for the reply. I hope this solution is robust enough.

The description is there but the game doesn't comply with the description.


There is mentioning on the login page that all data transferred between game client running on our browser and the servers is secured with SSL. However when I follow the traffic that the game generates with Chrome developer tools it's not encrypted with SSL but plain unencrypted http.

http://i.imgur.com/uUA8E32.png

Also the login form sends the credentials to www.thesettlersonline.com/en/api/user/login/ with http post without SSL ecryption.

Wow, Durin_d, that's kind of a big deal. Can we get a word from a BB representative on this? It's a significant security breach for anyone who plays TSO from the airport / coffee shop / any other public wifi.

The description is there but the game doesn't comply with the description.

While I can't verify that flash is used, ajax is used and an ssl connection is created. Which can be easily seen by opening the link found with chrome developer tools
http://i.imgur.com/mI0zRzb.png


Also the login form sends the credentials to www.thesettlersonline.com/en/api/user/login/ with http post without SSL ecryption.
This is actually untrue, if you look at where the request is sent you'll see it is send to https://www.thesettlersonline.com/en/api/user/login/
http://i.imgur.com/4UCmtk3.png

Login data transfer and shop actions are https encrypted. We take security very seriously and have some of the highest standards in the industry in this regard.
We do not accept insecure requests to /api.

If you have further questions or concerns regarding security, please send an email to webmaster@ubisoft.co.uk

I stand corrected on the login. I was mistaken as http://www.thesettlersonline.com/en/api/user/login responses.

The game and chat connections use plain http

http://i.imgur.com/NBUhF1y.png
http://i.imgur.com/yPg3xrr.png

2 years, 4 months and 3 days later ... https://forum.thesettlersonline.com/threads/35065-URL-change-HTTP-gt-HTTPS . Finally.

I hope the game futures will be implemented little faster :-/ .

Firefox says connection is not 100% secure.
https://image.prntscr.com/image/AjO_X6IIS76W7vFkW4VrwQ.png
I had to disable tracking protection to get game page to load.
I didn't need to do that before the change to HTTPS and would prefer it was fixed so I again have the choice to block tracking.

job done...

seems a lot of fuss over a free to play game to me tho guys lol

Since the switch to HTTPS.

https://ubistatic-a.akamaihd.net/0018/live/debug/AC_OETags.js
^^ this script contains tracking and with tracking protection turned on in Firefox it prevents loading,
https://ubistatic-a.akamaihd.net/0018/live/debug/0dad01cd1af7c00cb9754e825fffdb5885c3cbd3.swf