On the topic of SSL / HTTPS:

To point another perspective. Your anti-virus software is made irrelevant when surfing using https. The real time functions of AVs cannot scan a https site. So when a site goes https and gets hacked or has a glitch, your system is vulnerable to whatever comes down the connection while you surf.

That said, I'd much rather sites give http and https options and http as default. It really pisses me off when sites go default https and no option to use http standard. Especially irritating when https is on until you log in to turn it off.

Feel free to debate this but I trust no website that much to gimp my security on my end, which https does. If anyone wants to say this isn't true, go ask the developers at any AV company. It isn't a secret.

Why should I trust AV more than HTTPS connection? HTTPS is needed so that no snoop could read your data while it travels to the site. There is no way around it.

Simple:

You can pick up a surf by virus, not even know it and then you end up with worse problems than a snoop that may not even be snooping >_>

A virus is far more likely and any idiot can add links to 3rd party sites. That is the point. Real time protection getting gimped by paranoid types, doesn't trump my personal property getting compromised.

I understand your snoop perspective. I just don't need everything being sealed up to a point where I can brick a machine because of it.

I mean seriously, you trust a corporation like Google to never allow malware onto your property even by accident over a possible snoop, that may be guarded against at YOUR end anyway?

Never had any viruses like that. Sounds more like a Windows thing. Anyway, your own host security can't be built on reducing security of the connection. It's a deeply flawed approach. I'm surprised some AV use that idea.

I am assuming by your comment you are a linux user.

The short response then is to say this, windows users have a higher population. If you have a higher risk of such malware problems as windows users have than Linux users. Then it makes more sense to have both options.

I think we can agree on this.

To explain a little though, windows users typically have to rely on a real time response to malware on web pages. Most people aren't even aware of it. But when a site encrypts using https. The malware that would have been stopped can now have free access directly to that machine. This sucks! There is no way for the AV to decrypt the incoming code between site and the machine in order to recognize the malware before it can be downloaded.

You(assuming) linux users do not worry about this problem as you just download willy nilly without worry. Everything is typically safe. Not so for windows users.

It's a false approach. If anyone is concerned with that, they have to add malware prevention into the browser rather than compromising connection security. I.e. build a browser add-on which can perfectly analyze content on the client side before doing anything with it. If antivirus authors can't integrate their tools with the browser and instead demand from the user to use insecure connection - they shouldn't be writing anything.

That is part of what I am talking about. The HTTPS encrypts the connection and is not able to allow real time decryption by the AV. Because unlike Linux distros, windows is not all one integrated package that can seemlessly do things. You go look up Internet Explorer. That is a HUGE virus magnet and it can behave how linux downloads behave.

No offense but we are going off topic in a big way and there is Google at your fingertips to provide you with info on such security problems.

In short, linux is the minority and won't change. So GOG and other sites need to accommodate the majority first.

Sorry...just the way it is.

So, discard that piece of junk. I'd say if IE has problems with handling HTTPS, it's Microsoft's problem. As I said, normal browsers can handle content analysis after the decryption - that's what many add-ons do. If IE can't - all the worse for it. Just never use it. It shouldn't be a valid reason for sites to use HTTP instead of HTTPS.

I don't think you understand =(

You just have to know how MS makes their operating systems and how ALL AV and browsers function.

In short:

Https= secure connection between 2 machines. Secure line but risk of malware from one to the other. Because no AV can see on the encrypted line. Thus NO windows machine using ANY AV using ANY browser can be safe using https. It assumes that both sides(like linux) are safe, but this isn't ever true under a windows OS.

Http= Not a secure line between 2 machines, but able to deflect incoming malware from the other side.

You just have to understand how these things work. All browsers and ALL AVs work this way.

To curb one of your thoughts, when MS integrated IE browser and Windows variants of AV. Everyone went completely ape$h!t because every windows users like to use something different. Not integrated like much of Linux is.

I already answered that. To make it clear:

Server (HTTPS) → browser (HTTPS) → decryption in the browser → any kind of content analysis that you might want (antivirus or whatever) built as browser add-on → rendering of the page in the browser or rejecting it if it's malware.

That's it. If you worry about realtime issues - that's a task for antivirus developers to solve. It always adds overhead. That's a normal design. Anything that says it requires insecure connection to prevent malware is an invalid approach.

And if IE can't handle that - don't use IE. Site designers should never use insecure approaches because some idiot in M$ can't make browsers properly.

Actually I was referencing how AVs do things already. They don't do it the way you mention last. They scan the incoming connection and deflect BEFORE it makes it to your machine. If the decryption happens as you put it. The malware is already in the memory of your machine. Which is bad.

Besides, having both http/https with http default is the best approach as I have mentioned before. Every ones happy.

Have a good. We've taken up too much of this thread with our tangent. But good talkin with you =D

sorry, but that's nonsense. The incoming data always has to arrive at your machine and put into the memory there, before the AV can start scanning it. Or are you proposing that the AV scans the data while it's still running through the LAN cable? It's still just a piece of software, not sorcery ;)
What likely happened is, that the AV intercepted the incoming data at some lower level(ie the kernel) before it reaches the user level applications. That approach won't work with encrypted connections.
But as shmerl already pointed out, intercepting the data in the browser after the decryption and before it starts using the data, is still a working solution.

Also it seems that quite a few AV companies advertise their HTTPS scanning capabilites. What do you say to that? :)

Depending on the AV company, I'd say I would have to look at their method. You are also correct in deciphering my bad description. I'm not good with describing things some times. I wasn't implying sorcery =P

The incoming connection is scanned before it makes its way to deep and simply aborts the connection with the offending code.

Better? =)

Edit-

Thinking about an AV decrypting the HTTPS. I happen to think of something. It would depend on whether or not the company is reputable and rather open about their practices. It would also assume everyone wants to use that product, which is not very realistic.

I would say that the AV company would then have snoop control and not random people. But this is getting deep into crazy town with the whole paranoia thing. I'm more interested in security on my end and I can still use HTTPS when I please for those paranoia moments.

I just keep saying it. Every one is happy with both options. http/https with http default.

I agree. I also don't like what I am reading about the new move to a non DRM policy now also. The main reason I joined GOG.

Of course, as we have just read from GOG's initial post on this thread, if you bring up issues like privacy or your loss of software ownership, or restrictions on that ownership, you are called a conspiracy theorists by staff or GOG administration, themselves.

Kind of seems fishy that there is a privacy policy change to begin with (those are never to restrict access to your information, it's always the other way around) and that GOG would go out of there way to call those who are concerned about such changes, conspiracy theorists.

By doing that, it makes it all the more believable that GOG is hiding something from it's account holders, and that their new privacy policy change is anything BUT benevolent to it's users.

Just know this. Every company in cyberspace want your information and every one of them wants to sell and give away your information.