What browser are you using ? I use Firefox on Mint and Firefox & IE on Windows with AddBlock and DNTMe and I never experienced a similar bug.

I'd like to pose a question:

When GOG has a TOS of a 3rd party, which TOS is going to take precedence?

Example-
GOG claims Lucasarts/Disney games are DRM free and that is great. But then you have to go to Disney's website and read a TOS wall and find that you are subject to THEIR TOS and they...uh...well, last I looked, they do not have anything that would give a care about DRM-free games.

SOooooooo....this seems like a loophole to pin DRM onto/into one of those titles and fall back to "well folks, we TOLD you to read the fine print. You had to abide THEIR TOS and now since we have your money, take a walk if you don't like abiding to their DRM TOS".

Ok, perhaps a little paranoia? I am simply pointing out the question of "who do we have to abide"? GOG asks us to agree to GOG TOS and then to agree to DRM policies of a 3rd party. I mean come on, wtf? >_>

Oh and please do correct me if Disney suddenly thinks DRM-free is great and they changed their policies in the past 3 months. No...seriously I could have missed a few lines, but I doubt they changed their pages.

Yeah, this is a real problem already existing with the multiple EULAs packaged with games. And I guess GOG can't change the standard TOS/EULAs of the publishers significantly... but at least they can try to influence them & give a good example. For instance with a standard GOG TOS which is very relaxed and consumer oriented: e.g. content owning instead licensing, consumer can do whatever he wants with content beside redistribution/taking credit/ reselling.

About the precedence, I guess when not in conflict: both (so, the more restrictive one -> meaning the GOG one should never be the more restrictive one). And when in conflict: I have no clue. Ciris, any comment ?

My annoyance was not GOG exactly, but being told to abide a contractual agreement that by default every user who makes a purchase is breaking said contract.

While I find contracts online to be mostly laughable, it isn't funny when they DO take action against people. The law of a nation tends to make examples and justice be damned in the process of corporate rule.

I'm using Firefox and have such HTTPSeverywhere rule set:

<ruleset name="GOG">
<target host="www.gog.com"/>
<target host="gog.com"/>

<rule from="^https://www.gog.com/" />
</ruleset>

In general HTTPS support on GOG is very messy. Please vote here: https://www.gog.com/wishlist/site/https_browsing_of_the_whole_site

Remind me, have I linked you The cost of the <span class="bold">"S"</span> in HTTPS or not? Just playing the devil's advocate, not sure if the benefits outweigh the negatives (for GOG, not us).

The cost is worth it. You should know the world we live in.

Well, my extensive reply just disappeared into the bowels of the Internets. Huh.

Anyway, tl;dr version:

My problem isn't so much the implementation of metrics, but outsourcing it to third parties. Google in particular.

I realize it's far less expensive to do that than develop your own code, but it's our information that's monetized to cover the difference (so to speak). Personally, I'd rather do everything possible to limit Google's ability to add another data point to their database. It's something I strongly suspect will come back to bite the society, as a whole, in the ass sooner or later, and I have little inclination to contribute toward it. Aside from my information being treated as commodity, that is.

The Privacy Policy, as it currently reads, does not inspire confidence in limiting the availability of our information to third parties. In fact, it hand-waves any responsibility for what happens to said data when it reaches the third party squarely on their shoulders (and requiring adherence to the EULAs of those companies, which in reality may state whatever they want).

The link I provided is only one of the many tests available (though not from such a well-know organization as EFF) to prove just how easy it is to use software and hardware data to identify unique end-points (computers). Making tracking user habits a snap, as long as somebody willing to do so has access to that data. Google is certainly one of such companies. Anybody else handling metrics will likely be in exactly the same business.

I realize my view-point may not be popular in the age of Google, Facebook, Instagram, Snapchat, and basically data-trawling wherever you go, but that doesn't mean I have to like it. I was hoping that, with your stance on DRM, GOG might also recognize the inherent dangers in proliferation of such data, but business is business.

Anyway, thanks for the reply and explanation. I doubt my opinion will change your stance on this, but I do appreciate the effort.

easy solution: remove that rule.
Forcing https where no https is offered is not automatically a safe thing to do as far as I know.
Asking GOG to offer SSL support for the whole site with that wishlist entry you linked to is the right thing to do. And I fully support that.
But forcing ssl where no ssl is offered and than calling it a "major bug" when things break seems a rather adventurous logic to me.

i will link you this in return: SSL/TLS is not computationally expensive any more. ;)

see 2.2. of the new User Agreement
When you buy or install GOG games, you might
have to agree to additional contract terms with the
developer/publisher of the game (e.g. they might ask you to
agree to a game specific End User Licence Agreement). If
there is any inconsistency or dispute between those ‘EULAs’
and this Agreement, then this Agreement wins.

Do read the [url=http://www.cs.cmu.edu/~dnaylor/CostOfTheS.pdf]paper[/url]. Computationally wise, part 4 and 6. Server side computations may not be that expensive, client side they appear to be noteworthy, not due to the computation themselves, but due to lack of proxying. But who knows, many things may change in the next few years and the 4 year old study may or may not be relevant any longer. And as soon as proxies can handle https, then the cost of the S will be significantly lower.

SSL is offered, but some servers have redirects problems. As I said, at times it opens just fine. I.e. it's a bug of the site.

On the upside...it's not really needed..I mean SSL..

(unless ur paying with an actual CC..and that's SOO dumb..)

Anything bought on here, is non-transferable..

It can't be hacked out of your inventory..
Yes, they can steal ur account for a while..but as soon as payments are in question..they don't have
your payment ways, ID's etc..unless they hack those too..but that's kinda hard with a prepaid CC..
(there's no getting their hands on a physical prepaid CC..)

I wouldn't worry about it too much..I'm not worried about my account getting hacked..
Like I said, when push comes to shove, they can only pretend that it's theirs when you use a prepaid card..
(and never make the mistake of getting a lot of cash on it..$20 tops..it's worth dangling it...why ?..
well..any hacker stupid enough to download a tool and trying to steal $20..well..THEY DESERVE 5-10 A LA
CLUB FED !!..I hear they have new dance cards there now, specially for the virgin rookies..)

you mentioned specifically the costs for gog. That's why I commented on the server side performance impact, which seems in practice much less of a problem than generally thought.
It wasn't my intention to dispute the paper you posted entirely.

if you use the site normally SSL is only used on a few specific pages. You cannot simply assume that you can redirect all site links to https.

What's normally? All pages on GOG have https versions. It should be normal and expected to use them. But there are problems with how links and redirects are handled on the site. And it happens even without HTTPSeverywhere as was already reported before. Can be related to cookies mess. Either way it's a bug on the GOG side.

Anyway, to avoid off-topic let's discuss this further in the dedicated thread:
https://www.gog.com/forum/general/dear_gog_please_fix_your_https_pages_linking