Apr 11, 2014 | SSL: the conclusion: to be continued?
Well, that was fun. It slipped my mind that the SSL bonanza I went on caused the mobile site at http://m.ruinsofchaos.com/
to stop working. There are a couple contributing reasons for this:
- The Strict Transport Security configuration was set to include subdomains. I meant for it to apply to both ruinsofchaos.com and www.ruinsofchaos.com but it turns out m.ruinsofchaos.com is also a subdomain. Whoops.
- Even if that was not the case and you could get to m.ruinsofchaos.com without HTTPS, the game configuration was updated to instruct browsers to only send cookies over secure channels, so you wouldn't have been able to log in or stay logged in. Whoops.
That, on top of the time it took to get the certificate reissued, as well as the lack of a new start date when they finally did reissue, lead to what is hopefully the final-for-now solution to all of our problems.
We now have a new wildcard certificate from GeoTrust which works with *.ruinsofchaos.com. This includes https://ruinsofchaos.com
, and https://anythingelsewemightthinkoftoaddlater.ruinsofchaos.com
In short, the mobile site at https://m.ruinsofchaos.com/
should work now. If it still doesn't, let me know. (Quick note: I also fixed the mobile training page.)
You can check the information for the certificate by clicking the lock icon in your browser next to the address. (might be on the left side of the address bar or the right side).
Apr 10, 2014 | SSL
As you might know, OpenSSL was vulnerable to an attack that is now commonly referred to as Heartbleed
Here is a list of all the facts I know about this at this point:
- It was introduced into the wild (the internets) in March of 2012 in version 1.01
- It was fixed on the 7th of April 2014 in version 1.01g
- We've had an SSL certificate since July 4th 2013, and have been running on the current server since early September 2013. Its version of OpenSSL was probably vulnerable since then. It is unclear whether the older server was vulnerable, but that certificate was revoked when we moved to this one.
- News of the vulnerability spread like wildfire on the 8th. I learned of it on my way home from school at about 7:45 PM Eastern on the 8th.
- Any website running a vulnerable version of OpenSSL MAY HAVE leaked confidential data to an attacker up to and including the private key and unencrypted passwords.
- Even though passwords are stored encrypted in most self-respecting user databases (including ours), the attacker using this vulnerability could still obtain an unencrypted password which was stored in RAM. From what I gather, the unencrypted password only exists in RAM during the instant of someone logging in or otherwise entering their password into a game form.
- What this means is:
- if the attacker obtained the private key during the time the website was vulnerable
- AND they have a man-in-the-middle (MITM) position (this means they have compromised the security of the target computer, or the target computer is on an unsecured network where the attacker is able to intercept the traffic)
- they could theoretically have impersonated https://ruinsofchaos.com/ or decrypted traffic they intercepted.
The likelihood of our little corner of the internet having been targeted by such a sophisticated and seemingly chance-based attack is minuscule, but better safe than sorry. Therefore, here are the actions taken to rectify this vulnerability and try and mitigate future attack:
- As soon as I heard the news at about 7:45PM on Tuesday, I knew our server was running a recent enough version of OpenSSL to be vulnerable. I immediately parked at the nearest parking lot and whipped out my computer in the car to login to the server and update OpenSSL, which was finished somewhere in the range of 8PM-9PM.
- We have been trying to get our SSL certificate updated with a new private key since 9PM Tuesday, and it was finally updated Wednesday by 4PM Eastern.
- The original certificate which was in use during the vulnerable period was automatically revoked and it is no longer possible for the theoretical heartbleed attacker to impersonate the site or decrypt traffic from here on out.
- Our SSL certificate provider, Comodo, would not update our certificate to have a new "start" date, it simply reissued the certificate with the same validity date as the old one. The significance of this is that there is no simple way for you, the user, to be certain that the SSL certificate is secure and that you are at the correct site.
You can take our word for it, or you can test us at https://www.ssllabs.com/ssltest/analyze.html?d=ruinsofchaos.com
(I'm happy to report that our grade went from F to A+ in the span of a day. If only my precalc grade would make the same turnaround!)
Or, if you know how to dig through your browser's history of certificates, you can compare serial numbers to see that the certificate now has a different serial number (if you know of a way, let me know).
- I have enabled stronger SSL security as well as SPDY to help improve site speed and security.
- I have also enforced HTTPS throughout the site, and strict transport security so that your browser can no longer get to the regular HTTP site and won't even try once it's been at the https site. Please let us know of any problems arising from this move, a lot of the code on this site was written with http in mind. One of these days I'll rewrite this thing.
Instructions for you:
- Make sure you are not vulnerable to MITM attack (don't get on unsecured wifi, don't connect to networks that may log your traffic, etc.).
- Change your password at this site and at any site you've used in the past which may have been vulnerable to this. I personally use LastPass to keep track of all my passwords and generate secure ones, and I suggest you do the same.
- Internet Explorer 6 users on Windows XP may find that they can no longer access the secure site due to the updates. These users are encouraged to light their computers on fiar, as they are using a 13 year old browser.
Mar 30, 2014 | Brace yourselves
Just for funsies,
- Sab cost has been reduced
- The power of the 5x1 has been increased
Feb 11, 2014 | Rule Clarification
I didn't think this was entirely necessary, but the issue has come up a few times this round.
It's perfectly okay for people who live together to play different accounts. It's not okay to bank for them. Yes, we can tell. When you get banned, it's not because your roommate, wife, or cat plays on the same IP. It's because you're banking them because they're less active, less interested, or lack opposable thumbs.
Hope this clears things up.
Dec 27, 2013 | Age 14
The last round was supposed to be Age 14, and this would be Age 15, but obviously, things did not go as planned. Let's pretend that round never happened.
Changes this round are very few:
- You now need 25% more spy than sentry to view gold on the battlefield. This is down from 50%
- Swiper is disabled
- Dwarves had too many bonus stat allocations. Their defense bonus has been reduced to 40% (from 60%)
- Mail system overhaul will be added during the round
Beta server will be active in the next day or two, to test things for Age 15.
Dec 16, 2013 | Teamviewer
Use of Teamviewer and all other screen sharing programs to log into another player's account is illegal. The use of such programs for personal use is not expressly forbidden, but highly discouraged.