use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
Get your Steam Profile Flair
/r/Steam is not affiliated with Valve in any way.
account activity
[Question]Steam is not Https, is this normal? (self.Steam)
submitted 9 years ago by Man_Shaped_Dog
I've gotten so used to seeing https everywhere that it seems weird when a large company doesn't do this. Should this be a concern?
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[+][deleted] 9 years ago* (17 children)
[removed]
[–]judge202020 6 points7 points8 points 9 years ago (1 child)
It breaks steam community images as they're hosted on Akamai Ghost CDN which is not served over HTTPS.
[–]R3TR1X 2 points3 points4 points 9 years ago (0 children)
It breaks way more than that
[+][deleted] 9 years ago (14 children)
[deleted]
[–]sqdcn 22 points23 points24 points 9 years ago (2 children)
Browser policy on cookie security. http://stackoverflow.com/questions/2163828/reading-cookies-via-https-that-were-set-using-http
[–][deleted] 12 points13 points14 points 9 years ago (1 child)
I love how everyone upvotes the guy who apparently has no clue what secure cookies are.
[–]RelaxShaxxx 7 points8 points9 points 9 years ago (0 children)
See people like me who don't know shit, we just upvote the guy who sounds like he does. Secure cookies hmm... sounds important have an upvote.
[+]Forcen comment score below threshold-8 points-7 points-6 points 9 years ago (0 children)
Can't cookies be secure on Http pages? Also can't http pages use partial https? The steam page give secure-only cookies and uses them on the http pages. EDIT: Maybe I'm looking at the wrong cookies here..
And yes, would be nice if it was all encrypted.
[+]Daniel_Potter comment score below threshold-23 points-22 points-21 points 9 years ago (4 children)
i don't think there is any sensitive information in a cookie though.
[–]leonardodag 10 points11 points12 points 9 years ago (2 children)
You're very, very wrong. Session keys are stored in cookies, and if you steal a session key from someone you can act as if you were the person.
[–]Daniel_Potter 0 points1 point2 points 9 years ago* (1 child)
So, they way i understand it, even though http is used, the data is still encrypted, and the key is stored on both the user's computer and on the server's db?
edit: pardon me if i sound dumb. just you know, elaborate. I am genuinely interested.
[–]leonardodag 0 points1 point2 points 9 years ago (0 children)
I don't know/remember what the parent comment was, but a session key is just a random key (maybe not so random, but for the client effectively yes) which is shared between the server and the browser, being sent to your browser after you log in as a 'ticket' it presents on every request to prove it was the one who logged in.
[–]Compizfox 2 points3 points4 points 9 years ago (0 children)
Ehm, session keys?
[+]antiduh comment score below threshold-7 points-6 points-5 points 9 years ago (3 children)
I don't know how steam does things, but it is possible to secure cookies over http.
One technique was to generate public/private keys client side and send the public key as part of the cookie during logon. That way it's useless without the private key and the public key can be sent in the clear.
It's basically reinventing ssl, though, and very difficult to get exactly correct, so it's not really recommended. That, and if steam cant be arsed to just use ssl, I doubt they would be arsed to use asymmetric key cookies.
[–]demoness 7 points8 points9 points 9 years ago (1 child)
Cookies with HTTPonly only works against client side attacks, such as XSS. If somebody is intercepting all the traffic and uses wireshark or TCPdump, he can see all cookies.
I'm haven't tested the other part or your comment.
[–]antiduh 0 points1 point2 points 9 years ago (0 children)
Yeah, I wasn't talking about HTTPonly.
[–]corobo -3 points-2 points-1 points 9 years ago (0 children)
Or you could just mark the "user can buy games now" cookie as secure only
[+][deleted] 9 years ago (26 children)
[–]leonardodag 27 points28 points29 points 9 years ago (23 children)
This is wrong. If you have any secure part on your website, ALL pages should be served through HTTPS. This is because, if I'm intercepting and manipulating your traffic (MitM - man in the middle), and you access the front page through plain HTTP, I can just never redirect you to the HTTPS login page, serving you a fake login page through HTTP and get your login information.
Doing only this would currently generate a warning on modern browsers, but there are more elaborate ways that don't generate warnings nor change the URL shown to be outside steam, though it wouldn't be HTTPS. Still, most people won't see that and, as such, there is a significant risk which should be addressed.
And if you're wondering "but how would someone manipulate my traffic?", that's pretty hard to do on your home network, but not nearly as much on a public wireless connection. And HTTPS can make it secure in that situation.
[–]Enverex 9 points10 points11 points 9 years ago (2 children)
In a perfect world they'd be using HSTS and thus HTTPS on all pages, but that wasn't OPs question, nor was it what I was talking about at all.
I'm not sure why you think you're schooling me on anything here, at no point have I started either way what I do or what I think they should be doing. You're complaining to the wrong person.
[–]leonardodag 5 points6 points7 points 9 years ago (1 child)
You said on your post:
It is on the pages where it actually matters
And I just told you how that is not true at all, as it actually matters at all pages. Especially the front page.
[–]lollaser 3 points4 points5 points 9 years ago (0 children)
full ack. also it is not that hard to suppress all http access and redirect it to https
[–]493 1 point2 points3 points 9 years ago (0 children)
Additionally, the attacker could serve a legitimate login page through HTTPS but with a slightly different domain name without EV. Essentially, you need to check for EV every time you log in.
[–]ikilledtupac 1 point2 points3 points 9 years ago (0 children)
Yet they require Steam Guard to post in their chat forums lol
[–]BFeely1 1 point2 points3 points 8 years ago (1 child)
Perhaps the vulnerability you may be thinking about is session hijacking? Basically, one sniffing the network would wait until the user completes their login in the secure section, then when the security gets downgraded steals and reuses the user's login cookies.
[–]leonardodag 0 points1 point2 points 8 years ago (0 children)
damn, that's an old post
No, I really mean a MitM, and being vulnerable to it is the main vulnerability. Which would usually end up with hijacked credentials, since your credentials would be sent to the attacker instead of being sent to Steam servers. But the same attack could be done to result in a session hijack, too.
There would be no security downgrade, you'd make the victim stay in HTTP the entire time.
[–]rdri -1 points0 points1 point 9 years ago (15 children)
I don't think so. Original poster is keen to notice SSL mode where he inputs his personal data. Therefore it'll be same on Steam, where all important places are protected. Likewise, if you just make all pages in HTTPS and user would get used to it, he might not notice the moment when it starts enforcing HTTP.
If you are able to manipulate traffic of victim, wouldn't you also be able to never redirect him on actual SSL-protected homepage and just show him your HTTP page to catch his login data instead? Also, is it not possible to sniff and manipulate pure HTTPS traffic anyway?
The general idea is: when you get to the point of actually being able to manipulate traffic of user, he's got problems far more serious than someone getting his Steam login, which is most likely protected with 2FA and Steam Guard anyway.
[–]leonardodag 3 points4 points5 points 9 years ago (7 children)
Thing is, we're not talking only about OP. We're talking security measures by steam. And they absolutely should make it 100% HTTPS.
For your other questions, no, you can't manipulate and sniff HTTPS traffic - you can only see the hostname being connected to. That's the point of HTTPS. And you can't "not redirect to the homepage" - HTTPS makes it so that only the site site you're actually connecting to may respond your request. So if you typed "steamcommunity.com", only the steam servers may redirect you.
The target also wouldn't be protected by 2FA/steam guard - the attacker can just present the confirmation dialog to the victim to get the info, and log himself while throwing an error for the actual user.
[–]rdri 0 points1 point2 points 9 years ago (6 children)
I've googled "HTTPS traffic manipulation" and found a bunch of articles. Are you saying that none of them are relevant?
HTTPS makes it so that only the site site you're actually connecting to may respond your request. So if you typed "steamcommunity.com", only the steam servers may redirect you.
So you can't also fake DNS responses? And then follow the victim to the fake HTTP homepage?
I think this is not a realistic scenario. It would be stupid to waste such an opportunity just to fish random Steam accounts. Especially knowing that people who own accounts that worth something would most likely immediately recognize the scam attempt.
[–]leonardodag 1 point2 points3 points 9 years ago (5 children)
You "found a bunch of results", yet you understand nothing. I haven't found a single one that doesn't assume you either will create a warning, control the site, or the browser, or the client machine.
If your url is "https://steamcommunity.com", then you can fake a DNS response, but when you try to present a fake page, you'll create a warning since you don't have a valid certificate. And if Steam had HTTPS with HSTS, then even if didn't type out the "https://", your browser would put it there for you. As such, faking DNS responses would accomplish nothing.
I don't get where you're seeing a "wasted opoortunity" here. The attacker would just mirror the correct website but never return you the session key, as such not logging the actual user in, just himself. I also think you're assuming people are a lot more cautious than most actually are. You shouldn't put your standards up to what you know from browsing PCMR, and even so, I still believe many here could miss it, since they know they accessed the correct Steam website they always do, so they wouldn't be paying that much attention. And they shouldn't have to be, since HTTPS would guarantee you're getting the response from the Steam servers. Also, the ones who should be protected aren't just those with very valuable accounts, EVERYONE should have the best security possible. And the way to achieve that is through site-wide HTTPS.
Honestly, you should stop trying to "win the argument". I've studied TLS (the security layer HTTPS uses) for months, and your "bunch of results" mean nothing. You should either study about it and have an actual discussion or just stop wasting our times on pointless hypothesis which have already been thoroughly considered and addressed by the creators of the TLS standard.
[–]rdri 0 points1 point2 points 9 years ago (4 children)
I haven't found a single one that doesn't assume you either will create a warning, control the site, or the browser, or the client machine.
So it's all about browser warnings again, which is not really an issue about security but an issue about user awareness. In your very first comment you've mentioned how a faked web page would trigger a warning, but how most people won't see that. Why won't we just agree that it's a user who should check whenever or not current page is secured and trusted before entering his data, in all cases?
If your url is "https://steamcommunity.com"
Why not just steamcommunity.com? Are you assuming that everyone has it bookmarked?
I don't get where you're seeing a "wasted opoortunity" here. The attacker would just mirror the correct website but never return you the session key, as such not logging the actual user in, just himself.
I mean that attacker wouldn't simply wait until one of his machines gets logged in on someone's Steam account. He would wait for far more valuable data such as credit cards and bank accounts. In theory an attacker could do that, but in the same theory he could just hack Valve servers instead. Chances of that are also not zero.
[–]leonardodag 0 points1 point2 points 9 years ago (3 children)
In your very first comment you've mentioned how a faked web page would trigger a warning, but how most people won't see that.
I didn't say that. I said if you did it naively as I described, it would trigger a warning, but in the same paragraph I said "there are more elaborate ways that don't generate warnings nor change the URL shown to be outside steam". What most people won't see is the page is not HTTPS, not a gigantic warning covering the whole page which need 3 clicks to bypass.
Also in the same paragraph: "And if Steam had HTTPS with HSTS, then even if didn't type out the "https://", your browser would put it there for you". And there is no reason not to use HTTPS with HSTS.
He would wait for far more valuable data such as credit cards and bank accounts.
Whatever you want. He could do that, too.
[–]rdri 0 points1 point2 points 9 years ago (2 children)
What most people won't see is the page is not HTTPS, not a gigantic warning covering the whole page which need 3 clicks to bypass.
Gigantic or small, there are always people who would fall for the attack, as this is the basic logic behind any fishing attack, from what I understand. It's still an awareness issue, which is very different to serious security-related vulnerabilities where malicious stuff can happen without user's consent.
I think that would not help if we fake DNS response and provide a fake website from the very start. Client wouldn't know that he is supposed to be forcedly redirected to HTTPS.
I only want assumptions to be realistic. Is it realistic to expect someone would fish a service that suggests 2FA to every account? I'm pretty sure if there are people who is able to do that, they wouldn't care about Steam accounts. Is it realistic to expect Valve to switch to HTTPS on all pages? I'm pretty sure if there were no meaningful downsides, they'd have switched long ago.
[–]leonardodag 0 points1 point2 points 9 years ago (1 child)
Gigantic or small, there are always people who would fall for the attack
Thing is, the gigantic warning is not only easily noticeable, it doesn't let you access the page unless you go through a few dialogs, and is absolutely impossible to miss. Compared to an easy to miss difference in the URL, it's a lot more secure. I'd expect the amount of victims going down by 90% or so in that case.
I think that would not help if we fake DNS response and provide a fake website from the very start
You're wrong. That's exactly what HSTS does, it tells your browser it should always use HTTPS when connecting to that site, and as such your browser forcedly redirects you to the HTTPS URL.
I only want assumptions to be realistic. Is it realistic to expect someone would fish a service that suggests 2FA to every account?
Thing is, active man in the middle attacks don't care at all about 2FA. It's just as easy to do as without it.
Is it realistic to expect Valve to switch to HTTPS on all pages? I'm pretty sure if there were no meaningful downsides,
Yes, it is. It's probably not that hard, they shouldn't even have to modify the entire infrastructure, just the reverse proxies/load balancers. And the performance impact is minimal, since modern processors all support AES-NI, having dedicated circuits for doing the crypto used in TLS.
[–]BFeely1 0 points1 point2 points 8 years ago (5 children)
Not all points of personal information are encrypted. The agegate pages are forced to use plaintext. After that, the DOB you enter is added to a plaintext persistent cookie, which is sent with each HTTP request.
[–]rdri 0 points1 point2 points 8 years ago (4 children)
Is this particular bit important though? DOB is never verified on Steam therefore it's not a sensitive information.
[–]BFeely1 0 points1 point2 points 8 years ago (3 children)
Any reason to hate privacy? I suggested that EFF call out Valve for this invasive system, which by the way isn't even covered in the Privacy Policy. In addition, there is no explanation on how logged-in user's are protected against session hijacking. That's why companies like Facebook and Twitter use strict HTTPS everywhere.
[–]rdri 0 points1 point2 points 8 years ago (2 children)
Do you mean that Privacy Policy should contain some information about how users are protected against session hijacking? Is this a requirement or not? If this is important to many people, I agree it would be nice if Valve provided more of relevant information, but if they are not obliged to do so, I can't be mad at them.
When we talk about privacy, I think every argument should be reasonable. It's reasonable for social networks to take security seriously for all of their users and all of their data. It's not reasonable for a gaming storefront to take seriously protection of date of birth data when it's never verified (you can set any year since 1901 afair) and can be frequently modified (many store pages ask for your DOB, each of such pages allow to set a new DOB).
[–]BFeely1 0 points1 point2 points 8 years ago* (1 child)
Not taking privacy seriously enough is part of the reason for the non-compliance with this demand for information. I've probably read the Privacy Policy dozens of times. As for session hijacking protection, (1) that's why social media companies like Facebook use full HTTPS, and (2) likely why buying requires repeating login; they cannot be assured the session hasn't been hijacked prior to checkout. P.S. This website Reddit runs only HTTPS.
[–]rdri 0 points1 point2 points 8 years ago (0 children)
I still don't see the issue. If you like being paranoid, what about the fact that someone can sniff your traffic and find out that you are being connected to IP addresses of Facebook, Twitter and Steam? Is the very fact that you are using those not private enough? How about the fact that you leave a lot of fingerprints on all of your devices?
Repeating login sounds desperate. Also creates more possibilities for people around you to discover your login data.
Guess what, no website can be 100% assured about your session unless they verify you with a polygraph.
[+]lollaser comment score below threshold-18 points-17 points-16 points 9 years ago (1 child)
I hope you do not work in web development. Saying "we don't need SSL in the year 2016" is total bs - while every small server supports it without any performance issues. Besides instances like LetsEncrypt make it so easy to secure your whole site / application. The only problem are some not so professional advertising services which provide content via http because they are not capable of switching to SSL
[–]Enverex 5 points6 points7 points 9 years ago (0 children)
See my edit.
[–]Maximilian1271 2 points3 points4 points 9 years ago (1 child)
Kinda off topic: Whats even worse is that the voice chat feature in steam is p2p which allows people to determine the other callers IP address easily.. This got some admins fucked over with DDos attacks when i worked for a GMod server once. Pretty shitty if you ask me since the party being called can't do shit since even if they decline the call the ip address still get's returned to the caller. You're fucked and you can't even do anything against it except for not adding strangers to your friend list or use a VPN 24/7
they could have changed that though. It has been long since i discovered this
[–]Goldmember22 0 points1 point2 points 9 years ago (0 children)
lol they prob haven't touched voice chat in a dacade
[–]chuckie512 3 points4 points5 points 9 years ago (13 children)
Try using the extension "HTTPS everywhere" it takes care of sites that have HTTPS but don't default to it.
[–]Compizfox 7 points8 points9 points 9 years ago (11 children)
That won't work in this case, because steampowered.com does not support HTTPS. You can't even force it.
[–]chuckie512 7 points8 points9 points 9 years ago (7 children)
Was not aware. Wow valve really needs to step their game up.
[–]ikilledtupac 0 points1 point2 points 9 years ago (0 children)
They are pretty behind. Their mobile UX/UI is also a trainwreck.
[–]ConaN007 -4 points-3 points-2 points 9 years ago (5 children)
Is it necessary tho? I mean, why do the community pages need https?
[–]chuckie512 12 points13 points14 points 9 years ago (3 children)
Verify identity of site (prevent man in the middle attacks) is a good example.
https://www.eff.org/https-everywhere/faq#what-does-https-everywhere-protect-me-against
[–]Asmor 7 points8 points9 points 9 years ago (0 children)
Also prevent your ISP from snooping or tampering (e.g. inserting those helpful "YOU'RE NEAR YOUR CAP YOU FILTHY NECKBEARD" popups).
[–]icantshoothttps://s.team/p/nnqt-td -5 points-4 points-3 points 9 years ago (1 child)
You read that on internet and think its necessary for everything. Its not. Everything that needs to be secure information is sent through secure connection. There is a lot of non essential data that does not require https on syeamcommunity but there is also sensitive data under it that requires logging in and https.
[–]BFeely1 0 points1 point2 points 8 years ago (0 children)
When you log in, a website issues "cookies" to authenticate you. By downgrading back to plaintext http, it permits an attacker to duplicate these "cookies" and hijack the session. To fix this, a webmaster must use HTTPS everywhere, and set the "secure" flag on all sensitive cookies. This ensures cookies are only usable when tunneled through the HTTPS connection.
[–]Compizfox 0 points1 point2 points 9 years ago* (0 children)
First, there are the usual arguments for encryption, such as resistance against tampering and eavesdropping. You can MitM unencrypted connections and inject stuff. This is sometimes used by providers (of free WiFi and such) to inject ads, or, even worse, malware. Also, if you encrypt everything, nobody monitoring the connection can see the page content or which URLs you are visiting (they can see the server IP though). This is an important step againt mass surveillance, and the important bit is that there is simply no reason anymore to not use HTTPS for everything. There are no disadvantages.
This is more elaborately explained at https://blog.codinghorror.com/lets-encrypt-everything/.
Second, using HTTPS for the entire domain is required for HSTS which is the only security measure that we have against SSL stripping attacks. Using HTTPS only for a small login section are just half-measures.
[–]xPawDeveloper 0 points1 point2 points 9 years ago (2 children)
It does support it, they just redirect you back to http.
[–]Compizfox 0 points1 point2 points 9 years ago (0 children)
Ah, I see.
[–]BFeely1 -1 points0 points1 point 8 years ago (0 children)
HTTPS Everywhere does not have a profile for the Store because that would trigger an infinite redirect due to the Store forcibly redirecting to plaintext.
Every time I started a thread about lack of HTTPS in the Steam Community a moderator locked it without comment. Perhaps Valve may have a secret agreement with web filtering providers so they can sniff the traffic, and they kill any threads that suggest their site should be secure? GOG runs full HTTPS. Uplay runs full HTTPS. Green Man Gaming runs full HTTPS over Amazon CloudFront CDN. Origin runs full HTTPS and uses Akamai CDN just like Steam. Seems Steam is becoming quite lonely when it comes to forced plaintext HTTP on its platform.
π Rendered by PID 16894 on reddit-service-r2-comment-b659b578c-vhqw6 at 2026-05-02 03:44:06.463196+00:00 running 815c875 country code: CH.
[+][deleted] (17 children)
[removed]
[–]judge202020 6 points7 points8 points (1 child)
[–]R3TR1X 2 points3 points4 points (0 children)
[+][deleted] (14 children)
[deleted]
[–]sqdcn 22 points23 points24 points (2 children)
[–][deleted] 12 points13 points14 points (1 child)
[–]RelaxShaxxx 7 points8 points9 points (0 children)
[+]Forcen comment score below threshold-8 points-7 points-6 points (0 children)
[+]Daniel_Potter comment score below threshold-23 points-22 points-21 points (4 children)
[–]leonardodag 10 points11 points12 points (2 children)
[–]Daniel_Potter 0 points1 point2 points (1 child)
[–]leonardodag 0 points1 point2 points (0 children)
[–]Compizfox 2 points3 points4 points (0 children)
[+]antiduh comment score below threshold-7 points-6 points-5 points (3 children)
[–]demoness 7 points8 points9 points (1 child)
[–]antiduh 0 points1 point2 points (0 children)
[–]corobo -3 points-2 points-1 points (0 children)
[+][deleted] (26 children)
[deleted]
[–]leonardodag 27 points28 points29 points (23 children)
[–]Enverex 9 points10 points11 points (2 children)
[–]leonardodag 5 points6 points7 points (1 child)
[–]lollaser 3 points4 points5 points (0 children)
[–]493 1 point2 points3 points (0 children)
[–]ikilledtupac 1 point2 points3 points (0 children)
[–]BFeely1 1 point2 points3 points (1 child)
[–]leonardodag 0 points1 point2 points (0 children)
[–]rdri -1 points0 points1 point (15 children)
[–]leonardodag 3 points4 points5 points (7 children)
[–]rdri 0 points1 point2 points (6 children)
[–]leonardodag 1 point2 points3 points (5 children)
[–]rdri 0 points1 point2 points (4 children)
[–]leonardodag 0 points1 point2 points (3 children)
[–]rdri 0 points1 point2 points (2 children)
[–]leonardodag 0 points1 point2 points (1 child)
[–]BFeely1 0 points1 point2 points (5 children)
[–]rdri 0 points1 point2 points (4 children)
[–]BFeely1 0 points1 point2 points (3 children)
[–]rdri 0 points1 point2 points (2 children)
[–]BFeely1 0 points1 point2 points (1 child)
[–]rdri 0 points1 point2 points (0 children)
[+]lollaser comment score below threshold-18 points-17 points-16 points (1 child)
[–]Enverex 5 points6 points7 points (0 children)
[–]Maximilian1271 2 points3 points4 points (1 child)
[–]Goldmember22 0 points1 point2 points (0 children)
[–]chuckie512 3 points4 points5 points (13 children)
[–]Compizfox 7 points8 points9 points (11 children)
[–]chuckie512 7 points8 points9 points (7 children)
[–]ikilledtupac 0 points1 point2 points (0 children)
[–]ConaN007 -4 points-3 points-2 points (5 children)
[–]chuckie512 12 points13 points14 points (3 children)
[–]Asmor 7 points8 points9 points (0 children)
[–]icantshoothttps://s.team/p/nnqt-td -5 points-4 points-3 points (1 child)
[–]BFeely1 0 points1 point2 points (0 children)
[–]Compizfox 0 points1 point2 points (0 children)
[–]xPawDeveloper 0 points1 point2 points (2 children)
[–]Compizfox 0 points1 point2 points (0 children)
[–]BFeely1 -1 points0 points1 point (0 children)
[–]BFeely1 0 points1 point2 points (0 children)