Microsoft's email seems to be like this. I doesn't normally ask for a two-step verification from me even when clearing browser cookies, but when I tried to access it from Norway... BAM, no can do. I presume this was because it detected I tried to access the email from a new country.

Ok, so it sent the verification code to my secondary email... too bad that also required two-step verification. So there I was, unable to read my emails in the middle of the freezing Norway (not really, it was around +18 C degrees...).

Luckily, I had my work laptop with me, so I could use my work VPN to fool the stupid email system that I have teleported back to Finland. Whee! So I could read my emails again. Suck on that, you stupid two-step verification!

Yes, but to be fair, just look to the right of your avatar...

Because they could have made it also so that it increases security, without causing great inconvenience to many of us. Like, two-step verification for changing account settings, mainly if someone tries to change your email address or password. Add to that notifying the user if someone accesses or tries to access the site with your account from a new location (at least country), and from my point of view it would be pretty much perfect.

Requiring a verification just because you cleared the cookies in your browser is silly. I guess it adds some more security, but even more it adds inconvenience to many of us.

So to recap: I am not against two-step verification, in fact I definitely want it. But not the current implementation, which went overboard (and Steam, Humble Bundle have gone overboard there too).

Anyway, kudos for GOG at least making it optional. Somehow I feel that if they hadn't, e.g. the gogrepo.py tool that I currently use would have gotten broken. Not sure, I am not even going to test it.

I think mrkgnao was referring to sites/services requiring two-step verification if they detect you are logging in from e.g. a new country, not if you clear your cookies.

steampowered.com and humblebundle.com will require two step verification if you merely clear your cookies. I am unsure if on top of that they also require if they see login from a new country.

+1 ... but only because +1,000,000 isn't yet an option. :)

https://www.youtube.com/watch?v=JoLXLssQkHw

If you're banking through Wells Fargo, I'd say you have bigger things to gripe about than this new security change. ; )

But seriously, we went from paying those fuckers $13 a month for the privilege of being a customer, to getting $15-20 per month in dividends from the credit union we switched to. Monthly ~+$30 swing simply by moving our money elsewhere.

Back on topic, sorta, the credit union does a security check whenever I log in from a different IP address. Minor hassle, dealt with in 10 seconds.

The idea that everyone has to get behind everything GOG does is absurd to me. The "complaining" in that thread seems more like constructive criticism.

I believe you're mistaking "HTTPS everywhere" meaning "the entire GOG website properties now use https by default" with the "HTTPS-Everywhere" web browser extension that can force other websites to also use HTTPS if they support it and the authors of the addon have determined it works properly.

GOG's announcement today does not in any way effect Barefoot Essentials ability to connect to the GOGwiki to update people's publicized game lists and has no effect outside of the GOG.com domain.

Either way though, this is nothing more than misunderstood unsubstantiated fear of a non-problem.

I didn't even know there was such a browser extension to be honest. So if I understood you correctly I'll still be able to manually delete the s from the url to get an http page and won't get something like 404 or anything (I really don't know much about this stuff and can't see how http is more insecure than https). Hopefully that's the case indeed...

Guess I am indeed the kind of person that has unsubstantiated fears about non-problems. Case in point: I recently tried the demo of Defender's Quest HD (the new version of the game that will be out soon) but didn't play it a lot because I feared it'd overwrite my save or something. My point is I'm not a fearmonger on purpose, that's just my character... So since you cleared that out, I guess I don't have much to complain about anymore then.
And it just occured to me: Now, I myself stand corrected! :-)
edit-typo

The browser extension comment was one possibility, the other is that you thought "HTTPS everywhere" meant that somehow GOG could force https on other websites that are beyond their boundaries. That is not something that any website can do (however if a remote site supports https, it is possible to require subresources loaded from them to come over https if you know what you're doing).

The bottom line is that GOGwiki works today just as perfectly good as it did a week ago and nothing GOG has done has any effect on that at all so any fear that GOGwiki is going to break is just that - unwarranted and incorrect fear.

I have not tested the GOG website without https, and it is not easy for me to do so in a pinch because I've been using it exclusively over https for ages now using browser plugins that enforce https browser-side and don't feel like trying to undo all of that to test it. Having said that however it is my assumption that the GOG web properties will now universally work only over https and any connections to http will redirect to https automatically as is the web-wide standard way of converting a website to properly support https. This is something that Google has done about 6 years ago on all their websites, Facebook has done about 5 years ago as well, and most other major popular websites around the web with millions of users have also done. It is not only a good idea, but the standards bodies (the IETF, W3C and others), the browser and OS vendors (Mozilla, Google, Apple, Microsoft, etc.), every security expert that has an opinion worth anything all are unifying on moving the entire web and other Internet services as well to always be encrypted all the time.

When the Internet was originally designed, the security and privacy threats that exist today did not exist then, nor did e-commerce, banking or other things that we regularly do online every day. The security model back then does not match the needs of the current Internet, it's applications, and the security threats that exist out there. This tremendous oversight has lasted for a long time and we pay the price every single day with the consequences of it. The experts that make this shit happen are now hard at work trying to fix it and protect the Internet for tomorrow. That involves making everything encrypted always, and that requires all service providers, website owners etc. to gradually migrate to recommended security mechanisms over time, the sooner the better.

In the year 2016, if a website supports https properly and most serious websites do, then there generally are absolutely no good reasons to ever access it over http. There are some problematic corner cases such as corporate proxies and other such corner cases but none of the corner cases apply to me or you or anyone else for the most part. If they did, then all the big name websites that have been https-only for many years now would not work for people at all, but they do.

So whether or not GOG currently works over http still is more or less irrelevant, the question is why would anyone purposefully _want_ to force it to http? That makes no sense really. Any web browser that is technically capable of viewing the website is also capable of loading it over https, unless someone is on a corporate LAN or in a totalitarian government ran country that firewalls off port 443. Even then people can and do use VPNs and proxies etc.

Again, this fear of https is just unsubstantiated fear of a non-problem. Just use it and experience a working website with no problems (modulo any minor bugs that might exist that is, but that's a minor issue if they do).

As for how http is any more insecure than https, http sends all data over the Internet unencrypted on every website it is used on. This permits any computer that is in between point A and B to not only spy on the traffic and harvest data from it, but also to potentially modify the data in transit. For example, if you go to a coffee shop and connect to some website over http, or if you "borrow" your neighbour's wifi, or connect to public wifi somewhere else, etc. you are connecting through a router owned by someone else, and all of your traffic to every http website is coming and going unencrypted. Anyone who has control over that router or any other computer in between point A and B including any malware/botnets/etc. running on such computers can spy on all of your traffic, steal your login cookies, break into your accounts on any sites you log into that do not use encryption, they can intercept and modify web page content being sent to your web browser, inject malicious javascript into your browser that might be able to hijack it and infect your PC with malware, or any other of thousands of harmful activities. This actually happens every day out there and is one of the reasons why there actually is so many malware infections out there.

When sites properly use encrypted transports like https, then their entire connection is completely private end-to-end presuming that the proper secure protocols and ciphers are being used, and that the software that implements this security is kept up to date on both ends. Security problems do still arise from time to time even when using encryption, but that means that on certain rare occasions there are security weaknesses in our communications, whereas using http means that every connection is insecure every single time always to every site that uses it.

The problem is that the Internet and the software is too complex for end users to understand at the lowest technical details, and we perceive "threats" out there based on our perception and understanding of the threats, however unless someone actually carefully studies and keeps up with computer security they probably do not really have a clue how it all works and they are therefore the least qualified to determine how to protect themselves against the actual real world threats that do exist out there.

This is why we need our standards bodies, our browser vendors, our OS vendors, our online stores, our video game distributors, our online communications providers, and all other service providers and software developers to improve security, and use encryption everywhere it makes sense to protect against real world threats, especially when the cost of doing so is very cheap and the cost of not doing so is very expensive and increasingly so as time passes and the bad guys get smarter.

A wise man once said something to the effect "The good guys have to protect against every security flaw, every threat, every vulnerability 100% of the time in order to stay secure. The bad guys, they only need to find one single hole, one chink in the armour, and they only have to do it once." </paraphrase>

So when a company like GOG improves security like they did today, they should ultimately be applauded and sent cases of beer and free pizza for making the Internet a better place and caring about their customer's security and privacy - even if their customers don't understand these things at all. It is GOG's job to do this, it is Mozilla and Google's job to do this, and it is Microsoft and Apple's job to do this among many others.

The reason why? Because the Internet is a big fat steaming pile of shit, that's why. :)


Quite often people end up creating more problems for themselves through fear unfortunately.

Very true. And I didn't mean to say that people shouldn't complain. This was just a reference to another thread made about people who just start one-sentence whining threads (a lot of which was for example seen after the introduction of In Development games, something I myself am rather against).

That said, maybe we should have a "Slowly GOG is turning into steam" thread after this change. After all, technically this is something that steam does already have.

Your post is too short! And emoticons are out of fashion! And your avatar isn't pretty enough!

Me, too. I don't want to be forced to keep GOG's cookies.

Same here. An overexcitable, annoying security feature is a feature which doesn't get used. All or nothing is only preferable if the goal is to tell users whose accounts were hacked "lololol serves you right".