I mentioned a while ago that HTTPS was enabled for beta testers, and I’m excited to say we’ve been running with HTTPS as the preferred protocol on the website for a while now. We’re ready to take the next step and begin redirecting all requests over HTTP to HTTPS, but we need developers who make apps that use the Roblox website to update their URLs.
These are the most frequently accessed paths over HTTP:
/My/Money.aspx and /My/Money.aspx/GetMyItemTrades
/Trade/inventoryhandler.ashx
/messages/api/get-messages
/Feeds/GetUserFeed
/users/1/profile
These URLs represent ~60% of all HTTP traffic on www.roblox.com. I suspect they are being polled for updates of various kinds: new catalog items, feed updates, received messages and trades, etc.
Any URL on Roblox.com can now be accessed over HTTPS so there is no reason not to update. Because there are so many requests to these URLs, we would add a huge amount of traffic to our site if we just redirected them all to HTTPS (two requests for each one now). For that reason, if we don’t see the requests to these endpoints migrate to HTTPS, we may need to begin rejecting those requests over HTTP, rather than redirecting them.
Also, anyone running a proxy site to Roblox: I’d appreciate it if you began upgrading your requests to HTTPS as well.
Thanks in advance. Let me know if you have any questions.
Basically, it encrypts all the data you send to the website so hackers and ‘middlemen’ can not spy on what you’re doing (easy, at least).
By simply changing a url from the http:// prefix to https:// on a site that supports it, you are encrypting the traffic.
Just think about online banking. You’re sending your login data to their server, and they don’t use HTTPS. Anybody who is spying on your network connections can easy get your login data from the POST request sent to login. Now, this isn’t a huge deal on your home network (if it’s secured), but in areas with public internet, it is.
This is a good case where rbxassetid:// comes in handy. It will always have the correct asset URL. I’m sure it will need to be changed, because their HTTPS system is very broad.
Does that sent the .ROBLOSECURITY in the HTTP request?
If it does, using HTTPS would make it a lot safer. (if it isn’t, it doesn’t matter, while http:// is faster, handy for mobile) (talking clientside; I assume the servers, since they’re of ROBLOX, can access http:// securely too)
I would say it doesn’t send the .ROBLOSECURITY but I am not sure since decals that are just recently uploaded by you ( not yet moderated ) are view-able by you though not others.
If they still use the cookie for clientside /asset/ requests, they should probably drop the cookie there.
I can’t think of any reason you would want to request an asset where you have to identify yourself. (images/sound/… don’t need you to be logged in. unmoderatored decals… allow in studio?) (for unmoderated: send userid instead of cookie and check using that. no security issue left)
From what I understand, the same way we rewrite rbxasset:// urls, we also rewrite http://roblox.com/asset/ urls. We do this to verify that the request is using the right protocol (https) the right subdomain (assetgame.roblox.com, and not www.maliciousurl.com) and the correct parameters to the asset handler. Although rbxasset:// is preferred for a number of reasons, asset URLs with http should automatically be upgraded.
@einsteinK: There is some utility to knowing user context when an asset is requested. The obvious one is from studio: we can’t let just anyone download your places and models. There could be additional uses, so we don’t want to close the door just yet. At this time we’re thinking all asset requests should include credentials and also be HTTPS, but we have been discussing omitting cookies and using HTTP instead.
I was thinking about having cookies (and HTTPS) just in Studio because of the same reason.
If you internally rewrite http:// to https:// that would indeed be a very nice solution.
