Roll20 uses cookies to improve your experience on our site. Cookies enable you to enjoy certain features, social sharing functionality, and tailor message and display ads to your interests on our site and others. They also help us understand how our site is being used. By continuing to use our site, you consent to our use of cookies. Update your cookie preferences .
×
×

Cookie Preferences

We use Cookies to help personalize and improve Roll20. For more information on our use of non-essential Cookies, visit our Privacy Policy here.
Roll20 Logo

Play NowArrow

Join a GameArrow

CharactersArrow

ShopArrow

ToolsArrow

CompendiumArrow

CommunityArrow

Search

Sign InArrow

Roll20 Logo Hamburger Menu

HTTPS support

  1. Community Forums
  2. Bug Reports & Technical Issues
  3. HTTPS support
1342997316
Gary T.
Permalink for 1656 Quote
As of now Roll20 does not seem to support TLS, or at least it defaults to unencrypted password passing. I know it's "only" a beta gaming platform, but I predict that a lot of your users are using passwords that they use for sensitive accounts. Please implement mandatory (or at least default) HTTPS support as soon as possible. I know like to devs roll their eyes at security people, but this is a disaster waiting to happen. Also, you're not storing passwords in plain text, are you? All that said, I think this is an absolutely fantastic idea and, security stuff aside, Roll20 is off to a great start. Keep doing what you're doing!
1343013518
Mr G
KS Backer
Permalink for 14683 Quote
This is a good point, well made. Would be interested to hear more (and in the meantime will change my password to some random string only used for Roll20).
1343033356
Riley D.
Roll20 Team
Permalink for 14693 Quote
Gary, Site-wide mandatory HTTPS is currently on our internal roadmap. You'll notice that the Marketplace already has this in place, and some parts of the main Roll20 site do as well (although, as you point out, not the login form, which we know is one place it really should be). This should be implemented within the next month or two. And no, we do not store passwords in plain text, rather salted + hashed. You'll notice that the password reset process sends you a secure link that expires in 24 hours. We have no way of knowing what your original password is. Thanks, RD
1343100553
Mr G
KS Backer
Permalink for 14766 Quote
That's good news. Riley - many thanks. Nice to hear that security is taken seriously.
You must Login to your Roll20 Account to post a reply.