| Hi. My suggestion is you implement HTTPS for loging in on MyAnimeList.net. I've been registered here for quite some time now and expected every bigger site uses HTTPS for logins these days. I was surprised to say the least to see my password being sent out in plain-text. I was also surprised that no one has suggested this essential feature yet. MAL has so many users... and every one of them is forced to risk having their password sniffed each time they log in. I hope I don't sound too critical. Other than this I think MAL is awesome and I love it! Keep up the good work. Mod Edit: Suggestion accepted. |
_Ghost_Sep 13, 2016 7:27 AM
| You mean when you type the password for your account it dorsn't go like this "**********" and is words instead? If you do, my end's fine. It turns to stars each time I type my pass out ao either I'm wrong and don't know what I'm saying or your end's the only thing wrong. |
Thor got deleted... D:    |
| No, that's no problem. It does go all stars. But even so, if the site doesn't use HTTPS people who have acces to your network connection can use a program like Wireshark to catch your password. It's called packet sniffing. (here is the first description I found on google) This is the reason why banks or e-mail providers always use HTTPS. You can usually tell by looking at your address bar, it should turn green. For more information see: http://websearch.about.com/od/dailywebsearchtips/qt/dnt0513.htm http://www.instantssl.com/ssl-certificate-products/https.html |
packetAug 18, 2010 3:33 PM
| Ohai there, Xinil. How about allowing to change the protocol of the personal site in "Profile" from HTTP to HTTPS also? |
Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
| Going for an SSL connection huh? There's not much of use anyway. Since the site is generally only a list of your anime(s). No money is involved so. T-down. |
"Your taste is shit cause you like what I hate. Believe me I have 1000 cartoons that I rated with less than 5."  |
| I'd still rather have secure connections to our site than not, and should not be a hard implementation |
| Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
Arinohyoshi said: But it's usage would be questionable. The question is: "For what?"I'd still rather have secure connections to our site than not, and should not be a hard implementation |
| "Your taste is shit cause you like what I hate. Believe me I have 1000 cartoons that I rated with less than 5." |
Cashdaxxx said: Arinohyoshi said: But it's usage would be questionable. The question is: "For what?"I'd still rather have secure connections to our site than not, and should not be a hard implementation More like, why not? It shouldn't be that hard to implement. |
| Because I'd rather go for the security, than not going for the security. Having everyone to use secure connection over not secure is just pure win. |
| Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
Arinohyoshi said: What are you trying to hide anyway? They're only lists and online friends here though.Because I'd rather go for the security, than not going for the security. Having everyone to use secure connection over not secure is just pure win. |
| "Your taste is shit cause you like what I hate. Believe me I have 1000 cartoons that I rated with less than 5." |
Cashdaxxx said: What are you trying to hide anyway? They're only lists and online friends here though. Hide? O_o It seems to me that you didnt apprehend what I wanted: I don't want to hide anything, but what I do want is everyone to use our website with SSL. What I want is to have with SSL is the website on our profile, which needs adding a checkbox with "Use secure HTTP" or a dropdown list with http and https as options. I'm not talking about having MAL itself with SSL. |
| Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
| People tend to forget that an SSL cert costs money, and I'd rather have that money spent toward much-needed hardware and development time than on encrypting non-sensitive data. All the information except maybe PMs is public anyway to anybody who views your profile. If you don't want other people to know about it then don't post it. There really is nothing on mal that is private enough to warrant encrypting, and really the only danger you have is maybe somebody sniffing your password from an unsecured router. If you're truly concerned, then just use a tunnel through any of various free SSL proxies, to make local sniffing harder. There is essentially no risk once it gets to a backbone. |
 I am a banana. |
| And yet again, I am NOT talking about getting SSL certificate and HTTPS on MyAnimeList. I'm talking about the PERSONAL WEBSITE that everyone can put up in their own Profile information (In my case: pingtimeout.net ). What I want is a possibility to set that up in my profile with HTTPS:// instead of the forced HTTP:// it now offers. We have a cert already at pingtimeout.net and we want people to use the site with SSL rather than not. Does my english fail so much that its hard to understand what I'm wanting here :( |
| Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
Oh I see what you mean. I never realized that https didn't work there, but you're right that this needs to be remedied. There is really no reason to restrict urls to only http. ^ That field should just take a url and enforce "^https?://" then add the protocol if it's missing. I will try to bring attention to fixing it. |
I am a banana. |
| Yay, thank you <3 Also a personal note to take, I should have taken a screenshot from the beginning, it would have saved alot of posts and making my point easier to understand. |
ArinohyoshiSep 24, 2011 11:26 AM
| Truly yours, Arinohyoshi ~ Join the SOL Brigade Today! ~ Save our World by Overloading it with Lolis! ~ |
| In the meantime you could just redirect the http urls to https using mod_rewrite.... since you might as well use https if you have it.... or if you don't want to do it site-wide then just make a script on your site that redirects to the https url. |
I am a banana. |
MrGemeco said: Why won't this be fixed exactly, there is basically no work to get it done. Because the only person that has the power to implement it doesn't give a damn. I can safely bet 1000$ vs your 1$ that he won't even read it and still feel guilty like I stole your 1$ |
   |
Lokie said: Searching a bit I saw that https doesn't seem to be in the TO DO list of the admins. Hahaha. When was that list updated last time? |
|
| What was the last time that anything changed on MAL at all? If I remember well, they tried to add a background, but as I am using a different theme I can't even be 100% sure of that. As long as we have "MSN" on our profiles, we will never be evolving. |
 |
| You don't use MSN lupachin~? Then who's MSN did you give me??? Did you stand me up???????? ;___; hidoi |
  Lorem ipsum dolor sit amet |
| Being exposed makes us live on the edge. I guess it's an adrenaline thing. |
 "Everything you see on the internet isn't true." -Abraham Lincoln |
Lokie said: tldr: there is absolutely no reason not to use https and every reason to use it. Well. There are reasons not to use HTTPS. But I agree with you that in this case, especially when handling authentication and the user's session, HTTPS should definitely be used. Sending passwords or your Session ID in plain text over the internet is an awful idea. |
| We can dance if we want to. Web Development and Programming: The sexiest place on earth |
| I don't know how to feel when reading all these responses. Truth be told, if I balance it out how useful the secure http would be and how taxing it would be for the servers (constant encrypting is a taxing matter), I always come to a conclusion that we are better off without it. Have we ever experienced wiretapping or man-in-the-middle attacks? Nah, not really, as far as I know. Yet, those are the only things a secure http protects you from. It's rather funny how misleading vision many have on just what https is. It's not enhanced security. It's just encrypting of input data, which basically disallows others that somehow manage to get a direct access from reading it. But that's not what happens on MAL. Here, users and mods get phished or keylogged, and a https can't do a thing about it. Long story short, I'm always up for a secure protocol, but not in this case. The servers are so shitty that it would bring far more damage than profit, imho. |
Lime_ said: W-what? You'd manage to troll me if I didn't know that MSN doesn't exist anymoreYou don't use MSN lupachin~? Then who's MSN did you give me??? Did you stand me up???????? ;___; hidoi |
|
| Hello there, my dear friend. Thank you for your concern! This is Crave™-tan. I'm speaking in behalf of The Elder Gods, also known as "the ones who rules your cartoons website" We will never update anything on this said © MyAnimeList.net basically because it isn't lucrative and has a really bad traffic flow. But hey, we gave you Incapsula™, be thankful! Best regards, CraveOnline™ |
subpyro said: I don't know how to feel when reading all these responses. Truth be told, if I balance it out how useful the secure http would be and how taxing it would be for the servers (constant encrypting is a taxing matter), I always come to a conclusion that we are better off without it. Have we ever experienced wiretapping or man-in-the-middle attacks? Nah, not really, as far as I know. Yet, those are the only things a secure http protects you from. It's rather funny how misleading vision many have on just what https is. It's not enhanced security. It's just encrypting of input data, which basically disallows others that somehow manage to get a direct access from reading it. But that's not what happens on MAL. Here, users and mods get phished or keylogged, and a https can't do a thing about it. Long story short, I'm always up for a secure protocol, but not in this case. The servers are so shitty that it would bring far more damage than profit, imho. Mhm. This is true in most cases. And I agree that the encryption might be a little too taxing for these servers to handle. However, I think you are downplaying just how easy it is to intercept someone else's traffic. Say you are connected to an open network such as Starbucks wifi. Someone else at the local Starbucks can see all of your unencrypted traffic. This becomes an even bigger concern if, like most people, you are using the same password as you do with other online services. This could open you up to far bigger threats than just your MAL info. That is a situation where HTTPS would be beneficial, and it's a pretty common one I think. That said, I'm not so out of it so as to think anything is going to change. From what I've read this site seems to get little maintenance as it is. And yeah, as you mentioned, the servers might not be able to take it. So... Moral of the story? If you're at Starbucks, stay away from MAL if you see a suspicious looking guy with a big beard and a laptop sitting across from you. Also, keep your own damned wifi secure. I hope that's a given. |
| We can dance if we want to. Web Development and Programming: The sexiest place on earth |
| I have to see just how better these new servers are after the move for my point of view to change. |
Excarius said: and nor does it cost much, somewhat a hundred dollar a year or so MAL would go broke Excarius said: P.S: If my acc is hacked, and list is fully removed, then im too lazy to re-add all the anime i got (and im super lazy to create a backup, even if i know that it's just 3 mouse clicks away) You wasted more energy by typing this |
|
Excarius said: Why would mal go broke? I can afford 20$, and so does sure hundrefd of ppl that want. http://myanimelist.net/modules.php?go=faq#donate |
|
| It's the site about Japanese cartoons, nobody needs your account. |
| as long as that Heartbleed bug or any other bug of SSL is gone then sure why not |
| This is no banking site |
 |
| SSL should be forced for ALL pages, not just login. That way your session hash in the cookie will be encrypted too. Self-sign it for all I care, just use it. I wonder how many more years it will be... |
  |
| Isnt TLS better than SSL ? |
| It's not a banking site, you know. |
More topics from this board
» Are there any plans to revamp mal on mobile?Akuya - 3 hours ago |
1 |
by deg
»»
3 hours ago |
|
» An option to hide Explicit Genres from anime/manga listanimegamer245 - May 8 |
3 |
by traed
»»
Yesterday, 12:22 AM |
|
» Add an option to view (and display) ratings with a 5 star scale (allowing half stars)Bergioyn - May 6 |
3 |
by Bergioyn
»»
May 7, 2:10 PM |
|
» New category for manga listsAristotle417 - May 7 |
0 |
by Aristotle417
»»
May 7, 11:05 AM |
|
» forum rules and blogsleyaf - May 5 |
3 |
by S_h_a_r_k_93
»»
May 7, 1:03 AM |