Secure communication without HTTPS?

[Nox]

Hi,
I don't see how it coudl be done and what I found so far leads to it, but still better ask than be sorry
- do you a know a way how (at least theoretically) can one encrypt a communication between player
and server without using https?

Well the thing is... I could use HTTPS but it costs 80EUR for the certificate just to get rid of the message
and without it I'm worried it can scare off or annoy users that would visit my page.

Other solutions might be not to have login on main screen which I don't really like and then
just include info that they should use HTTPS and that the message is nothing to worry about...
but then... just a part of them would use it

It's funny - I sometimes see "HTTPS" checkox below login, but since the page is already HTTP, the login
data are sent in plain form...not really helpful. Unless I misunderstand it...

Thank you for any hints ...or just ensurance that it's really not possible to do it

[JGadrow]

The checkbox could be tied to a javascript that reloads a https version of the page too if it is clicked.

And, personally, I can't think of any way to actually encrypt the communication between two entities because you'd have to be able to control the behavior of the browser as it has the job of decrypting the data. I'm sure you could come up with a way of sending it meaningless garbage but without the browser knowing what to do with it I'm afraid you'll end up with nothing usable.

[Nox]

Well...it's not

Thank you, okey, too bad.... could be cheaper :/ what one can do...

[e-fish]

80EUR <-?
Godaddy offer it for £8.19 which is under €9. This is for one domain (and one subdomain) I think. I imagine there are others in this price range.

I am confused by your comment about plain text? Do you mean if you fill out a form on an page accessed via http which posts to a page via https then posted data is sent in plain text over the internet. This is an incorrect. The ssl connection is setup before any data is sent/received. What I do is have a login form (accessed via http), which posts to a page such as https://example.com/login. This page then forwards (using 302, though I think 303 is designed for this use) to http://example.com/private if correct user/pass. I believe this is a standard method.

If have any more questions about http protocol feel free to msg me as I have coded (well it needs a little work but functions well) my own webserver for my game.

Edit: javascript is not the way to go here; im sure there must be countless threads over the internet with this questions. Though feel free to try to implement ssl like features in javascript...

[dbest]

How about using an applet/activeX control to perform encryption between the client and the server? Store a pair of keys, one on the server and one in the applet/activeX control. The keys can encrypt/decrypt the data.

The other feature of SSL / HTTPS is to provide Identification functionality. It helps identify the server to the client's browser. I do not think, this is something you are too concerned of right now.

[Nox]

Thank you e-fish!

1) Certificate
Maybe I'm mistaken in certificate types, but the cheapest I see there for 30$ (21EUR)...but I'm not sure this one will be recognized by browsers.
On my hostings website there's entry in price list for a certificate (stating that should be recognized by majority of browsers) for 2000CZK (cca 80EUR),
so based on that I guess that the cheapest wouldn't and therefore be useless as I would purchase it primarily because of BFU's.
If that's true that in goddady's list it would be necessary to chose deluxe or premium...

2) HTTPS
Thank you for correcting me! Really, I don't consider myself all-knowing (rather the opposite is true) so... that would also explain my (now obviously inappropriate) note about checkbox. I thought both pages has to be in https.

If done this way I can include a message to notify the user about the message and what to do with it...that seem to me like the best out of "non-system" solutions I can think of.

Also it's good because... doesn't using https hinder caching in some way/degree? So when it's used only for login it would be fine.. just tried it and moving through site actually feels slower than with http

On the other hand it would be good for encrypting session id I guess...hmmm

3) I'm aware that JS can' be used as it simply may not be availible/ be disables / be view by unauthorized people

dbest
Isn't activeX avalible only in IE's? I don't have any experience in this area

[dbest]

dbest
Isn't activeX avalible only in IE's? I don't have any experience in this area

Yes it is officially supported mainly in IE, but Google Chrome supports some ActiveX component and there is a plugin for Firefox. However, all activeX components will work on Windows machines only.

Java applets on the other hand are cross-platform.....

[e-fish]

I found that price through an ad on google, but I haven't used them. They claim their SSL certificates are recognised by 99% of browsers (though I think everyone claims this). I only suggested godaddy because more people are buying new certificates from them than anyone else.

A page accessed by https can be cached on a local machine (depending on user settings and http headers) however using my suggested method caching is not desirable.

For a PBBG's point of view I imagine people would be more put off by seeing "don't worry about us not having a certificate just click ok to continue". This looks very unprofessional. Not warning someone about not have a certificate is probably only a slightly worse deterrent. Also if logging into a game required java or activeX (remember a user has to allow the java applet or install the activeX, also usually you can login on the home page thus cause this warning even before users try to login) a user may become suspicious. They would wonder why is this needed? Especially when this is not the normal way of doing things AND when the site does not appear to make use or require either technology.

In a way it is all about image. If this website is cutting corners here, where else is it cutting corners? Do I trust them with what they could do with java or activeX? I would not allow the page to use the java applet nor install activex-what happens now? standard http? It would be better to just use http? Yes if you aren't willing to buy a certificate. As long as no real world money is involved do you need encryption? Or do you want it or feel you should have it? Then buy a certificate and use https. Donations/payment are probably dealt with via paypal or googlepay or some other website? Which has extended validation (expensive) and already has trust of the user.

You have also got to remember that you would have to code this "encryption technology" and it would not seamlessly work with your current setup. Whereas using https would be relatively much easier.

Further, you could initially use no encryption until you have earned some money from your website or get a free trial (comodo offer free for 90days ssl certs) and purchase a cert after a while.

(edited to make a point a little clearer)

[dbest]

You have also got to remember that you would have to code this "encryption technology" and it would not seamlessly work with your current setup. Whereas using https would be relatively much easier.

Further, you could initially use no encryption until you have earned some money from your website or get a free trial (comodo offer free for 90days ssl certs) and purchase a cert after a while.

(edited to make a point a little clearer)

I think this has been very well edited.

Using your own encryption technology will cause you nightmares in the long run. So I think the last suggestion made by e-fish seems pretty good.

The only 2 PBBGs that I play make no use of SSL and they have atleast 2K members each.