theultramage

The session cookie is sent in plain text. Having the cookie is just as good as having your login, so anyone who sees your network traffic can gain access to your account (lan arp spoofing, wifi hotspot sniffing). To prove my point, I hijacked my session just by ctrl+c ctrl+v-ing the two gog cookies into another browser, giving direct access to my account. My browser does not support HTTPS-Anywhere, so it would be nice if going manually to secure.gog.com would make all the links stay on secure.gog.com.

Eroen

For the "Why?" questions; quite a lot of us live in countries where ISPs are required by (misguided) law to log all activity (actually only metadata, like what page was requested). Thus, https or vpn servers in different countries are required for basic privacy when browsing the web.

While gog isn't exactly a high-value target, there are countries that habitually use man-in-the-middle attacks to identify users making anonymous posts to websites. This is also defeated by both https and vpns.

While the vpn solution works great for anyone sufficiently capable and competent to use it, https on web pages ensures privacy (to the extent it is practical) for any user of the site.

l2affiki

Like testtest says, theres no need for encryption over every single page. Not to mention it disallows the use of caching at all levels of page retrieval: database, server, proxies and browser. This would create a huge and entirely unnecessary load on gog's website.

Elideb

It looks like GOG is moving forward with this. The new secure.gog.com is a great step, but so far is only available for certain sections (Account, main page). If at some point everything done while logged in is encrypted, I'll be very thankful. And for those who think that htps everywhere is unneeded or overkill for servers, you might want to read about the subject. The extra load is not that significant and the main benefit is that your session cookies are no longer sent around in the clear. Even if they are cyphered when sent to GOG, giving access to static information containing your presonal data could compromise it. People not worried about those issues can use the regular site and not suffer any response delays, but I'd rather have all my pages secured in 10 seconds than plain text in 2.http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/

journeyman

Maybe not the whole site (which would be awesome), but at least set https as mandatory for login (which actually is not, and this is a huge security hole)

testtest123

https is cpu-bound - both for Your computer and gog servers. AFAIK all crucial data is being sent via https protocol. I can see secure.gog.com domain Imo there is no need to allow to use https on every URL

Jabokoe

I don't think the store-browsing portion would benefit anything from a secure connection... And forum threads are publicly available anyway so securing that makes no sense, also the PM system already uses HTTPS. So in general anything that you want to do in private on gog.com is already secured. If you are afraid someone does XSS than that would be a browser problem... someone will try to hijack a store page in a man-in -the-middle attack? an adversary might as well opt to hijack your entire DNS request for gog.com since DNSSEC isn't supported by most DNS-zones. So that wouldn't make anything more secure...

RoseLegion

Lovely idea, it would cause me to recommend GoG even more and I know a few folks who might support GoG over other services for a move like this.

AlbertCole

Especially the login should be protected by https.

Elideb

The problem is that GOG has no HTTPS version of most pages, so using one of those extensions is futile in here. Those extensions try to translate all http requests to the secure equivalent, which just isn't there.

MrParmesan

You can force sites to always use HTTPS by creating a rule in this Firefox and Chrome extension https://www.eff.org/https-everywhere I haven't tried making a rule for GOG.com myself though and as the FAQ GOG.com explains the site has to already have a certain level of support of HTTPS for the extension to work.

megiddoj

Why not? It's a simple change and it provides better security. Remember that everything you browse over http (not https) is transmitted in clear text.

EndlessWaves

Why?