Here is some info on the Hamete Service (and security courtesy of Arpat):
Arpat wrote:an alternative to a dice roller like Invisible Castle is the Hamete Service: https://dicelog.com/dice
You need to accept the security warning etc.
the DM can create a https://dicelog.com/newlogdice Dice Log
when people create accounts they can be added to the log.
its a little complex and i guess it will take 5 minutes of reading, puzzling etc. but then it works.
ah i think a little explanation would be in order about the certificate (inside the spoiler since this is a Game Thread)
and the error it generates:
First: the certificate is completely valid. It only isn't validated by a trusted third party like verisign. Everybody with a windows server can create a certificate and it only assures that your connection through the server is secure (https) and hashed with the certificates code.
If you want to create a "false" identical server it cant be verified. From a bank you will need that verification and therefore the bank has a counterpart that you can verify with verisign.
so what is it with this certificate?
This certificate, once you accept it enables secure communication and therefore your results cant be changed or falsified. The only thing you can't do is verify that this server actually is the one you want to talk to. (no verisign counterpart) So i could create an identical server with a certificate and put the link in a message with the most wondrous results (i always roll natural 20's). However, you would have to accept my certificate which cant have the same hash as the original server. therefore you can always determine that my results are from another source.
The certificate is a little overkill, but then some people can't take it when they die because of bad luck and they start to tamper with results. (which is possible here, but very difficult - it probably is that difficult that you can hack into the database anyway and create your own results at will.) i don't think it will happen.
btw: the main reason for not having a trusted certificate is the steep price. Even the most basic certificate is at verisign: Total: US $695 (excluding taxes)
I guess a good reason NOT to buy one for two year i guess it is better to donate that to Richard [/spoiler]
To conclude my little story:
ALL websites that have something to do with people's money, like credit card company or paypal ALWAYS have a trusted certificate. If it isn't valid then you can check why it isn't valid. (but DONT buy anything, DONT give in your credit card and NEVER give pincodes or similar things. BANKS will NEVER ask them on the internet. If in doubt: call your bank or even better: go to the bank and ask.
CL wrote:So you are saying Paul, that if I accept that site certificate once--it will be remembered and as long as I don't accept another one (if that error message pops up again) then I should be fine (as far as someone trying to hack the site or my computer)? Or do I have to track the site certificate every time I go to the site and make sure it is the same one?
Arpat wrote:If you accept it (the certificate) AND have checked the URL then you can be sure enough your on the right server (this simple statement is NOT valid for banking systems where money is spend by criminals to create a way to have a faster responding DNS to redirect you to a "similar" server. Cheaper tricks are: having you send a message with a request to login, the URL seems valid, but the actual IP is not correct. With a third party check like verisign the certificate will be invalid.
This kind of invalid IS a big risk.
The risk that you referring to can't be blocked with HTTPS. Hacking of a HTTPS enabled system is difficult. due to the problem thjat they cant read your name/password once it is setup. Your certificate (which gives the error because it can't be validated with third party) can be validated by you. You need to "install" the certificate. (it's not necessary to do so, just read the url)
about the hacking part: the certificate only makes your communication to and from the server you intend to talk with obscure for anybody else. so as mister spock would say:
if the hacker is on the server he can hack your pc if he has the knowledge. The certificate makes no difference.
If the hacker is somewhere else then he has the problem that he cant see what you are doing (because the PC-Server communciation is hashed (unreadable)). Thats why you can use paypal safely: no-one except the server can read your login, password and codes. (technique used is described here: http://en.wikipedia.org/wiki/Public-key_cryptography)
however, if someone is already ON your PC with a keylogger that reads your typing and sends the criminal everything you type, then it will be possible for a criminal to act like he is you. (he can go to the bank, use your name and password)
however today banks use a extra security feature: a token (like a number from a device or a code send by phone)
the risk of being hacked is not mitigated by a certificate. its the way the certificate works that makes communication safe. verisign adds the third party check that you are talking to paypaL.com (and not paypaLL.com) and the token makes it safe. (safe enough - banks and government use it.)
there are other ways to ensure someones identity, but current law will prohibit a real proof of personae. (i could get your name and password, steal your token or mobile phone and the bank would not be able to tell the difference.) if you go to the bank, deliver a DNA sample and have a DNA sampler at home that instant sends a sample to the bank and instant ly the bank can verify then the bank only can say It is really CL on the other end. (but still no way to see if you are willingly or forced to transfer money)
Security is a big issue and every system has its flaws...
i hope its a little bit more clear... and next time when you use online banking you know a little bit more about the why and how.
that way we make 'almost 99%' sure that our donation goes to Richard and not some crooked criminal