Posted November 24, 2015
![DampSquib](https://images.gog.com/39fb5a0e7d85a69ca9b43db69a3cc474c7c4f8517bd2b94daf36912a7f52f01c_forum_avatar.jpg)
DampSquib
Soup Dragon.
Registered: Nov 2010
From United Kingdom
![Bad Hair Day](https://images.gog.com/47a0656e68c7d568533e881a490fc402738e2b1aa10fbaa3253ae41f33ca5c45_forum_avatar.jpg)
Bad Hair Day
Find me in STEAM OT
Registered: Dec 2012
From Other
![HypersomniacLive](https://images.gog.com/fc4a1abc37a5fe68e4e7fe666d87976d9900b9f928128c087fa9bbdf2e3e4bc4_forum_avatar.jpg)
HypersomniacLive
The Reluctant Voter
Registered: Sep 2011
From Vatican City
![DampSquib](https://images.gog.com/39fb5a0e7d85a69ca9b43db69a3cc474c7c4f8517bd2b94daf36912a7f52f01c_forum_avatar.jpg)
DampSquib
Soup Dragon.
Registered: Nov 2010
From United Kingdom
Posted November 24, 2015
![avatar](http://images.gog.com/b83f37cf087e70d5a22de61358f23450c138e5e1e85a4e874d7b8cb6f6d1bc02_avm.jpg)
I still have sign-up & log-in, meh, the account button still doesn't function as it should.
![avatar](http://images.gog.com/e2b08bcfdfe46906e8fe31dca93afe8f19c11d4fb89f106a8bd7261a8dd0b599_avm.jpg)
Firefox 42.0
Post edited November 24, 2015 by DampSquib
![Matruchus](https://images.gog.com/c0e6bcc95bbd9e54ca2accd830a99cfbfb9b7d1480003e29f81d66c9218830f8_forum_avatar.jpg)
Matruchus
Don't ignore Tux
Registered: Jun 2011
From Slovenia
Posted November 24, 2015
The account button now functions as it should but the account notificiations for chat and other things doesn't work anymore and in my case the notifications don't show when I click on any tab be it community or gog.com frontpage.
Post edited November 24, 2015 by Matruchus
![HypersomniacLive](https://images.gog.com/fc4a1abc37a5fe68e4e7fe666d87976d9900b9f928128c087fa9bbdf2e3e4bc4_forum_avatar.jpg)
HypersomniacLive
The Reluctant Voter
Registered: Sep 2011
From Vatican City
Posted November 24, 2015
![avatar](http://images.gog.com/b83f37cf087e70d5a22de61358f23450c138e5e1e85a4e874d7b8cb6f6d1bc02_avm.jpg)
Firefox 42.0
As I said yesterday, I'm back to this behaviour.
Additionally, when I try to log off from a forum page, I'm redirected to the front page but I'm not logged off. I have to log off once more from the front page.
If I go from a forum page to the front one and try to log off directly from there, it works as should.
Post edited November 24, 2015 by HypersomniacLive
![v3](https://images.gog.com/a73b51aa9a6c40077ef2b8b9d40bc0ff4fc5042d6412fdd4db6ecf40c3891fd1_forum_avatar.jpg)
v3
Registered: Oct 2014
From Serbia
Posted November 27, 2015
Any info on the progress?
Account button is still exchanged with Sign Up/Log In and in addition, when initiating the chat from tooltip it asks me to log in again, but when I do it just asks again, so I end up entering the address manually.
I've read other members had some of these problems occuring before briefly, but I haven't encountered any of them until the day I reported it with this thread, and I don't recall any immediate browser updates so something must have changed in the forum software.
Account button is still exchanged with Sign Up/Log In and in addition, when initiating the chat from tooltip it asks me to log in again, but when I do it just asks again, so I end up entering the address manually.
I've read other members had some of these problems occuring before briefly, but I haven't encountered any of them until the day I reported it with this thread, and I don't recall any immediate browser updates so something must have changed in the forum software.
![Johny.GOG](https://images.gog.com/99c8c43498e075fae7b4eb220ad40d785a41b4f9284ddc8c1607ed670dd28325_forum_avatar.jpg)
Johny.GOG
☕️
GOG.com Team
Registered: Dec 2014
From Poland
Posted November 27, 2015
![avatar](http://images.gog.com/a73b51aa9a6c40077ef2b8b9d40bc0ff4fc5042d6412fdd4db6ecf40c3891fd1_avm.jpg)
I've tracked down what's happening - direct cause of not being logged in - but we don't know cause of the cause yet. ;) So - we'll fix it, but I can't say when exactly.
![skeletonbow](https://images.gog.com/3a6ffc77c3410e96ecd2e5775b3fed422e1acdd05bbf19cd366e44ae40b03b34_forum_avatar.jpg)
skeletonbow
Galaxy 3 when?
Registered: Dec 2009
From Canada
Posted November 27, 2015
high rated
This is speculative, but I believe the issues with the website either sporadically logging people out or not seeming to know whether they're logged in or not - such as saying you're logged out but then showing you games on the homepage that you have wishlisted - are due to a multitude of inconsistencies providing some parts of the website over http and some over https. While https was added not long ago presumably on everything, they never changed the site to redirect all http queries to https, and many links in the website code still point to http:// even when the page you're viewing is https://.
This kind of mixed-mode operation is notorious for causing obscure wonky website behaviour where modern browsers wont trust cookies over http on an https site or other behaviours, all of which can be further complicated by whether people are using security addons such as NoScript or others.
I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:
- to completey ditch raw http access to the entire *.gog.com domain, and have the webserver automatically redirect all queries to http to https.
- to ensure all cookies are transferred over https at all times
- to review all html/css/js/php/whatever for all references to http or https on *.gog.com and replace them with the protocol neutral variant of simply: "//forum/general/whatever" so that the web browser substitutes the proper protocol depending on how it's accessing the website.
And once they've fleshed all of that out and stabilized it to the point they fully trust their https deployment they should further go ahead and:
- Enable HSTS in their webserver configs in order to enforce HTTPS across the entire domain.
- Update the webserver SSL/TLS configuration to best current practices for security and backward compatibility as documented by Mozilla and other industry players recommendations: <span class="bold">https://wiki.mozilla.org/Security/Server_Side_TLS</span>
- Thoroughly test their TLS deployment with tools like Qualys SSL Pulse:
GOG's current SSL/TLS security rating from SSL Pulse is a mix of grade A on the main servers and B on Akamai CDN:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&hideResults=on&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=193.59.178.42&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=23.192.247.45&hideResults=on
The latter of which has missing intermediate certificates in the certificate chain, poor signature algorithm (SHA1, which will soon be ostracized by all web browsers), insecure RSA cipher support and broken forward secrecy support. Inconsistent with the rest of the GOG servers and probably should be brought up to current standards and that bad certificate replaced and the CA's intermediates put on the webserver.
If it isn't already, SSL Pulse testing should be integrated into GOG's webserver QA procedures to ensure correct operaton and best practices going forward.
This kind of mixed-mode operation is notorious for causing obscure wonky website behaviour where modern browsers wont trust cookies over http on an https site or other behaviours, all of which can be further complicated by whether people are using security addons such as NoScript or others.
I think some things GOG could do to make their entire website-property-emporium extremely simpler and more robust are:
- to completey ditch raw http access to the entire *.gog.com domain, and have the webserver automatically redirect all queries to http to https.
- to ensure all cookies are transferred over https at all times
- to review all html/css/js/php/whatever for all references to http or https on *.gog.com and replace them with the protocol neutral variant of simply: "//forum/general/whatever" so that the web browser substitutes the proper protocol depending on how it's accessing the website.
And once they've fleshed all of that out and stabilized it to the point they fully trust their https deployment they should further go ahead and:
- Enable HSTS in their webserver configs in order to enforce HTTPS across the entire domain.
- Update the webserver SSL/TLS configuration to best current practices for security and backward compatibility as documented by Mozilla and other industry players recommendations: <span class="bold">https://wiki.mozilla.org/Security/Server_Side_TLS</span>
- Thoroughly test their TLS deployment with tools like Qualys SSL Pulse:
GOG's current SSL/TLS security rating from SSL Pulse is a mix of grade A on the main servers and B on Akamai CDN:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&hideResults=on&latest
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=193.59.178.42&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com&s=23.192.247.45&hideResults=on
The latter of which has missing intermediate certificates in the certificate chain, poor signature algorithm (SHA1, which will soon be ostracized by all web browsers), insecure RSA cipher support and broken forward secrecy support. Inconsistent with the rest of the GOG servers and probably should be brought up to current standards and that bad certificate replaced and the CA's intermediates put on the webserver.
If it isn't already, SSL Pulse testing should be integrated into GOG's webserver QA procedures to ensure correct operaton and best practices going forward.
Post edited November 27, 2015 by skeletonbow
![toxicTom](https://images.gog.com/0db75938256077a53af07d0c40d8b680e1d499367dcc52877ce22fcbd3986beb_forum_avatar.jpg)
toxicTom
Big Daddy
Registered: Feb 2009
From Germany
![LEMON CURRY?](https://images.gog.com/7c30e25fd29c20877f9cfe48678e249a853d2b754bfcdb0c932934e20de5b292_forum_avatar.jpg)
LEMON CURRY?
Møøse operator
Registered: Jun 2013
From Denmark
![skeletonbow](https://images.gog.com/3a6ffc77c3410e96ecd2e5775b3fed422e1acdd05bbf19cd366e44ae40b03b34_forum_avatar.jpg)
skeletonbow
Galaxy 3 when?
Registered: Dec 2009
From Canada
Posted December 03, 2015
![avatar](http://images.gog.com/acd5d3494f9b76e52349599e0f9049af8e6ec31132ea90dbbbb0f4934f94b957_avm.jpg)
![avatar](http://images.gog.com/7c30e25fd29c20877f9cfe48678e249a853d2b754bfcdb0c932934e20de5b292_avm.jpg)
![avatar](http://images.gog.com/acd5d3494f9b76e52349599e0f9049af8e6ec31132ea90dbbbb0f4934f94b957_avm.jpg)
[...]
![avatar](http://images.gog.com/7c30e25fd29c20877f9cfe48678e249a853d2b754bfcdb0c932934e20de5b292_avm.jpg)
One thing is certain though, any new websites being deployed in 2015 should be HTTPS-only and using current recommended standards, and existing sites should be migrating to HTTPS-only or already doing it as we move towards an always-encrypted Internet. Only putting one foot in the water is broken though.
![LEMON CURRY?](https://images.gog.com/7c30e25fd29c20877f9cfe48678e249a853d2b754bfcdb0c932934e20de5b292_forum_avatar.jpg)
LEMON CURRY?
Møøse operator
Registered: Jun 2013
From Denmark
![Johny.GOG](https://images.gog.com/99c8c43498e075fae7b4eb220ad40d785a41b4f9284ddc8c1607ed670dd28325_forum_avatar.jpg)
Johny.GOG
☕️
GOG.com Team
Registered: Dec 2014
From Poland
Posted December 09, 2015
Issue with account menu missing on forum pages is fixed. For more info see this post:
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
Post edited December 09, 2015 by Johny.
![v3](https://images.gog.com/a73b51aa9a6c40077ef2b8b9d40bc0ff4fc5042d6412fdd4db6ecf40c3891fd1_forum_avatar.jpg)
v3
Registered: Oct 2014
From Serbia
Posted December 09, 2015
![avatar](http://images.gog.com/2f00c013159a462080c08a4f5ced1b848f2c2863496cdef6c8b982ca0a15317e_avm.jpg)
http://www.gog.com/forum/general/the_what_did_just_break_thread/post1099
Since you're a blue, a species unto itself, hope you don't mind me marking skeletonbow's adept suggestions as a solution, regardless of whether they were instrumental in addressing this particular problem on your end.
Post edited December 09, 2015 by v3