test content
Logo
What is the Arc Client?
Install Arc
Options
Neverwinter Gateway Issues 2/19
akromatik
Member Posts: 1
We are currently investigating the issues with the Neverwinter Gateway page and will resolve them as soon as we can. Thank you for your patience.
Post edited by Unknown User on
0
This discussion has been closed.
Comments
Not much to investigate... The SSL certificate expired today and should have been replaced before it expired.
Sci-fi author: The Gods We Make, The Gods We Seek, and Ji-min
Pretty much. You might be able to get it to work by disabling a bunch of security stuff in your browser... but I wouldn't recommend that :P
|| Axios Guild Leader || Neverwinter Trade Forum Moderator || Infernal Paragons ||
Check out my foundry, titled "Akro's Gone Wacko", featuring our ex-CM Akromatik!: NW-DL8J7BY5T
Erza Moonstalker | Lara Moonstalker | Julie Marvell | Erza Moonhunter | Annie Hellangel | Jenn Moonstalker
Thaumaturge's Time To Shine: A Complete Guide
Guesstimate ETA Akro? Doing all my professions in the game would be a horrible pain with the anti-bot finishing delay.
"Do what thou Whilt shall be the whole of the Law. Love is the Law, Love under Will."--Aleister Crowley
Somebody missed the boat, no biggie.
|| Axios Guild Leader || Neverwinter Trade Forum Moderator || Infernal Paragons ||
Check out my foundry, titled "Akro's Gone Wacko", featuring our ex-CM Akromatik!: NW-DL8J7BY5T
Erza Moonstalker | Lara Moonstalker | Julie Marvell | Erza Moonhunter | Annie Hellangel | Jenn Moonstalker
Thaumaturge's Time To Shine: A Complete Guide
Please immediately remove the professions delay, as without Gateway to complete professions it represents a significant barrier to those of us with many professions to collect.
Thank you.
remove that extremely annoying delay, pls!!!
That said, how can you forget to renew the SSL cert????? That's some serious negligence from your side, esp since most, if not all, CAs send several notification mails before it expires.
I'm Betting 1AD they will forget.
EDIT: I should point out -- if you play this game on a public wifi (like in a coffee shop or cafe or whatever), anyone sniffing wireless traffic can steal your PWE login even with the SSL if the certificate is reasonably easy to crack (like any SHA1 cert). If the certificate isn't valid and therefore not working it means there's a good chance your login is being sent in plaintext which, needless to say, is easy to steal. So... 1) be careful out there. 2) don't use the gateway on a public wifi (including on your mobile) unless you can verify the SSL - even then... careful. A guy with a laptop in the parking lot can steal a lot of data from you and you'd never know...
This isn't a particular vulnerability with the Gateway, mind you, but rather just a fact of life with WiFi. You need to be really careful if you're not on a network you trust (and if you trust the Starbucks network, you're a fool
Sekhmet@kvetchus_
Guilds: Greycloaks, Blackcloaks, Whitecloaks, Goldcloaks, Browncloaks, Spiritcloaks, Bluecloaks, Silvercloaks, Black Dawn
Tredecim: The Cloak Alliance
This is the real issue here - Google et al have been gradually working on 'sunsetting' SHA1 certs, and updating their browsers to no longer recognise it as a valid protocol. In effect they are forcing organisations to move to SHA256. Many of these organisation have bought SHA1 licences in 3 or 5 year blocks - don't trust the expiry date quoted earlier in this thread, that just shows the date the browser stopped believing the licence to be valid.
This article breaks things down well - it also points out the problems to those users of XP who have not updated past Service Pack 2.
I think it salts and hashes the password then sends it over plain HTTP. (http://launcher.playneverwinter.com/launcher_login http://launcher.playneverwinter.com/static/all/js/cryptic-hash.js)
And why the **** would the launcher establish a TLS connection with a well known login server? the hash.js is just a framework to create hashes - yes, thats correct. The payload is still send over a secured connection...
We are always looking for new models --- Borderline Fashiondolls ---
I can Google too, though I've known this for years now:
"The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago. Collision attacks against SHA-1 are too affordable for us to consider it safe for the public web PKI. We can only expect that attacks will get cheaper."
SHA-1 is considered deprecated tech. Period.
Sekhmet@kvetchus_
Guilds: Greycloaks, Blackcloaks, Whitecloaks, Goldcloaks, Browncloaks, Spiritcloaks, Bluecloaks, Silvercloaks, Black Dawn
Tredecim: The Cloak Alliance
Safe travels,
Archmage Zebular of Mystryl
PWE Community Moderator
[ RoC | ToS | Support ]
[ Support Center • Rules & Policies and Guidelines • ARC ToS • Guild Recruitment Guidelines | FR DM Since 1993 ]
it must be very embarrassing for a pro compagny to forget to renew their certificate, it make them look as full noobs. With the next launch on Xbox this is a very untrustfull and unprofessionnal image given.
So as a workaround put the date on your computer back a couple of days.
Setting your browser to ignore certificate is NOT a good idea because if i was a hacker i would choose this time to intrude and fake the gateway to phish thousands of accounts.
Still no reason to run around and spread panic everywhere by telling people how ez pz sha1 is to crack...
That's all im referring to.
We are always looking for new models --- Borderline Fashiondolls ---
It uses a Javascript-based encryption engine that uses available libraries, and you're right, it doesn't use SSL. I actually posted about it to the Alpha forum back when the game was in Alpha, along with Wireshark logs showing how to steal a user's credentials over an unsecured wifi. It was ignored (or at least, it was never replied too anyway). No big deal, it's pretty unlikely anyone will care enough to do it, although not long after I posed, they implemented SSL on the Gateway since that by itself will stop 99% of the risk. The other 1%... like I said, no one that knows how to deal with SSL would waste the time just to get someone's PWE account, so in a practical sense, I don't think there's much risk. Just don't play the game on an untrusted network - like I said, that pretty well goes for anything that involves you logging in, so Neverwinter isn't really some sort of special outlier there.
Sekhmet@kvetchus_
Guilds: Greycloaks, Blackcloaks, Whitecloaks, Goldcloaks, Browncloaks, Spiritcloaks, Bluecloaks, Silvercloaks, Black Dawn
Tredecim: The Cloak Alliance
Ye - correct. It uses TLS.
We are always looking for new models --- Borderline Fashiondolls ---
Yes indeed - don't take my comments as being particularly critical of their web team forgetting to renew a cert. It really does happen, especially if the teams are siloed due to a merger. My comments are just general concerns that are apropos to the question of the game's security overall.
Also -- depending on how they sign their certs and how the company's internal bureaucracy works, and how they deal with change management on their production systems, it can be a couple days. If you are using the gateway from your own home, there is NO RISK HERE despite any doom and gloom warnings on your browser.
Sekhmet@kvetchus_
Guilds: Greycloaks, Blackcloaks, Whitecloaks, Goldcloaks, Browncloaks, Spiritcloaks, Bluecloaks, Silvercloaks, Black Dawn
Tredecim: The Cloak Alliance
Is it secure to use gateway or should i wait until cert. is updated?
D&D Home Page - What Class Are You? - Build A Character - D&D Compendium