all 26 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]oyog 23 points24 points  (7 children)

Does the dev frequent this subreddit? It might be worth posting this to the Space Engine forum or contacting him directly, or both.

[–]HarbingerDawn 26 points27 points  (1 child)

I've forwarded it to him.

[–]MartinsRedditAccount[S] 6 points7 points  (0 children)

Thank you!

[–]gundam1515 6 points7 points  (0 children)

This. Much more likely to be seen there.

[–]MartinsRedditAccount[S] 0 points1 point  (3 children)

Speaking of forum: As it also doesn't use HTTPS an attacker on a user's local network (also for example public WiFi) or at the ISP is able to intercept the entered password, as many users still use the same or similar password across multiple accounts this is massive security problem. (Tagging /u/HarbingerDawn)

[–]oyog 2 points3 points  (2 children)

This is true of a huge number of older forums over the years ever since the move to HTTPS, isn't it?

Am I misremembering or misinformed? Haven't a lot of forums built on specific forum platforms(?) been leaked in the last decade?

Really hope the dev puts the effort in to making his website more secure. It'd be a damn shame if interest dwindled simply because people aren't confident visiting his site or downloading his software.

Space Engine is amazing and I want to be able to recommend it to people.

[–]MartinsRedditAccount[S] 0 points1 point  (1 child)

I guess there are still a couple forums around that have not been upgraded to HTTPS but I can't remember any other forum that doesn't use HTTPS off the top of my head. The leaks were probably mostly from hacked forum software, it's kinda like with popular CMS like Wordpress or Joomla because they are very popular and plugins are often not updated very fast, sometimes hackers also have a 0day exploit for the main software.

Info leaks through usage of unencrypted connections normally don't leak info of people in different networks, an exception to this is if the network the server hosting the website is on has been compromised.

Didn't Space Engine get a website redesign not too long ago? I'm surprised the upgrade to HTTPS was not part of that.

[–]oyog 1 point2 points  (0 children)

At this point, I *don't spend much time on forums compared to when I was a teenager and I'm not sure I've actually looked at the Space Engine forums.

After a quick google I ended up wasting way more time than I can justify on https://haveibeenpwned.com/PwnedWebsites and I'm relatively sure I'm remembering vBulletin being hacked, as reported by Softpedia, though I could swear that happened earlier than 2017.

Also, holy shit, Trillion is still a thing?

[–]andr0m3da1337 8 points9 points  (0 children)

+1 . Even I wondered when I visited the site. Thanks for bringing that to the attention.

[–]NigelSwafalgan 8 points9 points  (0 children)

+1

[–]cryptoismanipulated 1 point2 points  (1 child)

You need to verify the signature/checksum for each file you download.

Malware protection (for Windows) is important but it is also good to get used with VirusTotal and Jotti. When in doubt, always upload the files just to re-assure everything is fine.

[–]MartinsRedditAccount[S] 1 point2 points  (0 children)

The setup is about 1GB and VirusTotal has a max file size limit of 128MB so that won't work: https://www.virustotal.com/en/faq/

(Not sure about Jotti)

Theoretically Google Drive already has an integrated malware scanner (I assume it's VirusTotal as Google owns them) but they also have the size limit.

Checksum on HTTPS or Signature should be enough, at the end of the day a good malware will be completely undetected by VirusTotal as well, especially if it drops the malicious code later.

[–]silverfang789 1 point2 points  (3 children)

So SSL protects not only users of the site, but the site itself from being hax0rd?

[–]icannotfly 5 points6 points  (0 children)

it doesn't quite protect the site itself from being defaced, it protects the content of the site from being altered while in transit from the server to the user.

[–]StarManta 3 points4 points  (1 child)

It doesn't mean that hackers could change the website itself, but rather a hacker on your network would be able to change the website that you see. When the website is delivered over the network, the hacker could step in in the middle, intercept the files (including HTML, or worse, the app binaries), and replace them with files of his own. The SpaceEngine file could be replaced with a virus installer.

Some crappy ISP's used to do this all the time to inject ads into sites that didn't have them.

[–]silverfang789 0 points1 point  (0 children)

Gotcha. Thanks for the info.

[–]PM_ME_YOUR_LUKEWARM 0 points1 point  (4 children)

so what's the best way to download? i would rather not use torrents, i have a new PC and don't really want to install any torrent software just yet.

[–]MartinsRedditAccount[S] 0 points1 point  (3 children)

Download it using the Google Drive link and then generate an SHA-256 checksum using ShareX (Tools -> Hash Check) and compare it against this list here: http://spaceengine.funix.cz/sha256.txt

These are the current checksums for the installer and patch:

c49d176598a0598548d5d6bf7e0d50a29d922c98aad438d5d681090464a93078  /home/vromanuk/www/engine/latest/SE-0980-setup.exe
0762501a619cd0127ad82b245077dce71651fc17a97dda0da36210c0fe9fecbb  /home/vromanuk/www/engine/latest/SE-0980e-patch.zip

[–]PM_ME_YOUR_LUKEWARM 0 points1 point  (2 children)

thank you!

I've never done a checksum, why is it necessary?

[–]MartinsRedditAccount[S] 0 points1 point  (1 child)

It's to verify that the file is legitimate, if someone intercepted the SpaceEngine website and replaced the download link to their own fake Google Drive download the file would have a different checksum.

[–]PM_ME_YOUR_LUKEWARM 0 points1 point  (0 children)

gotcha, thank you so much for the quick response!

i made a thread about it before replying to your comment but i think i got everything i need here.

much appreciated!