Okay I've thought it was a bit of a temporary problem, but it seems to persist and I'm starting to wonder.

Whenever in a browser I enter gog.com or www.gog.com, it invariably tries to open https://www.gog.com, which promptly fails to open with a "connection reset" message.

removing the s in https lets me access the site. No trouble. But it's getting rather troublesome what with FireFox apparently knowing better and going https even if I type in http://www.gog.com, it'll redirect me to https which fails and then allow me to correct it. I experience the same behaviour with 3 different computers.

On Internet Explorer and Opera it won't correct me to https, but will fail if I type it myself.
And on Firefox https works just fine for https://secure.gog.com. Can anyone give me a clue as to what's going on here, and whether there's an easy solution to this?

Short answer: FF sucks.
Long answer: By default, FF tries to connect to the secure part of a site, if you have visited the secure part before. GOG.com recently (a month? month and half?) changed the https://www.gog.com to https://secure.gog.com and removed the old part of it. Since your history still has entries for https://www.gog.com FF will try to connect there. Either clear your history of all https://www.gog.com entries, or use another browser.

And even if you do use https://secure.gog.com, all links point to http://www.gog.com. I've tried writing a rule for the HTTPS Everywhere extension for Firefox to redirect to secure. whenever www. is used, but either my rule writing isn't up to snuff, or it simply doesn't work.

Edit: Apparently, it was just my rule writing that sucked. I did eventually manage to make a rule to always browse GOG using HTTPS.

To be fair to FireFox. This is a GOG security issue. By letting the authentication cookies be transmitted over http they are allowing a sidejacking attack. There's virtually no chance anyone could be bothered to do it, however FF are only enforcing best practices.

Uh oh! (memories of the front page hack not long ago)

What's a "sidejacking" attack?

It's much less severe than the XSS vuln that occurred before. Basically, once you've logged in, you get a "token". This is a load of letters that identify your current logged in state. It's a bit like if you start a tab at the bar, and get given key to identify yourself.

A sidejacking attack is where someone who is listening to your connection (i.e. man in the middle actually going after you) then takes this key, and starts pretending to be you. If you stay in https then they can never get this key, if you downgrade to http then they potentially can.

I would like to re-iterate - This is something that it is extremely unlikely anyone would ever do. To do so they would have to physically compromise your internet connection, and then intercept your GOG session (the key), then manufacture requests to abuse it.

Pirating the games would be easier.

I was just saying that FF maybe isn't wrong for stopping this, so much as overly cautious

I disagree with that strongly. This is a case of Fx being responsible and GOG being poorly coded. You just have to visit https://secure.gog.com first in order to connect. Afterwards they reconnect you back to www.gog.com.

What you're forgetting about is that there's a reason why browsers do that, it's as wpegg suggested to make sure that nobody is screwing with your cookies or setting up MITM scenarios with the insecure line.

What's more there's a reason why HSTS support was added to Fx, it's because sites insist upon offering up both versions and the inability of a first time visitor to know if they're getting a secure connection.

Also, remember this is the same site where they weren't bothering to sanitize the forum titles, I take it you don't remember that fun period where we had to turn off JS in order to not get redirected to other fun places. Hmm, I'll have to take a look at that, it looks interesting.

Ok, thanks for the explanation. I get a bit paranoid with internet security issues. I was lucky to not have used the Sony online store when PSN was hacked. Even the FBI was hacked! And with the types of people that are capable of doing complex hacking (surprisingly it seems to be alot of teenagers) i worry about internet security.

I don't remember that, yet it seems I've been a member about as long as you have (though I only started being a regular a few months later).

Actually, this was only a few months ago. I'm surprised you didn't notice. Although, I guess i you weren't online those couple days you might have missed it.

Basically the software wasn't sanitizing the titles so you could embed URI or even entire scripts. Which allowed people to redirect people elsewhere just by loading the general forum.

It was nasty and incredibly embarrassing as one of the key things when writing code to parse things is that you always sanitize your inputs.

In that case - outputs :)

Same thing. You never take untrusted inputs and make use of them without sanitizing and veriying them. Passing them on is even worse. In this case, just disallowing < > and " would probably have prevented that particular attack. Or even just translating them to the appropriate entity. would have foiled the attack. It certainly would have prevented that person from breaking the forum even if it were still possible to exploit an attack.

Yeah, the GOG website is definitely not hardened. People keep asking for GOG gift cards in the wishlist and I just laugh. There's no way GOG is ready for the kind of hackers that would crop up if they started storing account balances, etc.

Part of the reason people come here is that we don't have to worry about stored account #s or balances being lost, I don't see GOG wanting to lose that marketing point.

No - not the same thing. Your inputs may come from a variety of sources, they may be forum posts, syndicated content, something you're reading off a file someone put on the root. Output sanitisation is as important as input. Double encoding is a nice example of it. Someone fools the input sanitisation by url encoding something twice. So it goes through the filter the first time, is transalted and saved, then comes out as a malicious link.

You're not wrong that inputs must be sanitised, Only wrong in suggesting outputs don't need to be. Having said that, I'm sure I've made similar mistakes and would be hoisted up by my own leotard if ever attempt to defend such practice.

GOG changed from using www.gog.com for HTTPS to using secure.gog.com, and Firefox is keeping you from visiting HTTP pages if a corresponding HTTPS address exists in your history or bookmarks. As you can see by reading this thread there are good reasons for Firefox doing this.

But how do you actually fix the problem that you're experiencing?

- Open up your history sidebar (Ctrl+H)
- In the "Search" bar on the history sidebar, type https://www.gog.com
- Press the Tab key twice then Ctrl+A to select every matching item in your history
- Press the Delete key. That should remove all of those old https://www.gog.com links from your history

After doing that Firefox should have no reason to redirect you anymore. Try it out and see if it works for you.