Dear Steam team, please re-enable full site SSL support (even if optional)
Hi all,

I am starting a petition to ask Steam to re-enable full site HTTPS support (even if it's optional), and in particular, for storefront and community pages.

My argument is posted as a twitter thread. I am hoping someone from Valve engineering team can read it in full.

English:

https://twitter.com/bitinn/status/887893811426242560

Chinese:

https://twitter.com/bitinn/status/887901635887865856

In opening this ticket, I hope someone can show me:

a) A roadmap on when it could be done.

b) A good business or engineering reason on why it can never be done.

Either is fine, but please do give us a detailed answer.

I will be passing the response in full to local community.

Thank you and best wishes,

David Frank

(Per suggestion from Steam support, I am posting my ticket to this forum as well, if you agree this is a good idea, please do chime in!)

(For Chinese-speaking audience: 不方便用英文?没问题,您可以用中文回复支持。)
Last edited by BitInn; Jul 20 @ 8:42pm
< >
Showing 1-15 of 174 comments
BitInn Jul 20 @ 7:57pm 
For transparency, here is the full exchange in my support ticket:

https://twitter.com/bitinn/status/888230499566493696

------

Update: for the impatient, here is a summary of my argument:

I want to start a petition asking @Steam_Support to use Full Site SSL, as a gamer living in China I no longer feel safe using plain HTTP.

I would guess the reason for Steam to maintain HTTP in community and store pages would be to display non-secure cross-site content. BUT:

There isn't any workaround: using VPN with Steam client is strictly prohibited, for good reasons.

My worry: plain HTTP leaks personal info.

So basically @steam_games put me in a position easily trackable and identifiable by my ISP, and whoever controls them.

I should also mention Steam store front is pretty unusable these days because plain HTTP can easily trigger keyword censorship in China.

To my English-speaking audience (living outside China), this is a good move to protect your personal info as well.

And remember Steam used to have Full Site SSL, and then they disable it, in a way that force users to browse Steam store over plain HTTP.

I am not saying Valve doesn't have their reasons, but I am arguing those reasons don't hold when most e-commerce sites manage to go SSL.

We understand the potential risk of enabling full site SSL. It's a tough decision and we believe going SSL is the better one, for both chinese and global users.


Also in Chinese:

虽然我们知道全站 SSL 加密会带来什么可能风险。

但从如今的情况看,不加密,我们的个人信息太容易被 ISP 获取了。长远来看这不是个好事。

我有几个论点:

- 如今各种关键字触发商店页面无法访问的情况,是否可以继续?

- Steam 是强制商店与社区页面不使用 HTTPS。改为允许用户选择使用 HTTPS,是否可以?

- 如果你身在国外,是否也想被 ISP 知道你的个人购买能力?

- Steam 本来有一段时间是允许 HTTPS 的,我认为没有技术问题,除了社区页面上的站外 HTTP 内容可能无法显示这点。

综上所属,这是我的提议。

如此大规模技术调整,需要时间与人力的投入,「用户需求」毫无疑问是一个重要的驱动力。如果你支持我们的请愿,欢迎在这个官方贴发表你的支持。
Last edited by BitInn; Jul 21 @ 3:25am
Vistaing Jul 20 @ 8:14pm 
Do appreciate your fight for the future of every Chinese steam user.
xiaoxiao Jul 20 @ 8:32pm 
Definitely necessary when you are confronted with a gov that can use deep packet inspection and interception to control and modify what can be displayed in Steam.
Last edited by xiaoxiao; Jul 20 @ 8:33pm
MarsKain Jul 20 @ 9:12pm 
+1 it's a good solution
It's very necessary.
黑白 Jul 20 @ 9:17pm 
please...
This is 2017, even personal blogs are using HTTPS now. There's simply no excuse for sites like Steam not being HTTPS only.
kirito Jul 20 @ 9:42pm 
Please, force HTTPS at store pages
And then the chinese government blocked steam altogether, because https can't stop that. And everyone lived unhappily ever after.
HTTPS is necessary for a modern web service, especially in a country with web censorship.
Steam store with plain HTTP is seriously interferenced in China.
oott123 Jul 20 @ 9:53pm 
+1 for full ssl

It's really important nowadays.
As a Chinese, I know what it's like without HTTPS. Even you are not in China, you won't like being MITMed by anyone
Last edited by alias5100; Jul 21 @ 12:52am
merako Jul 20 @ 10:09pm 
+1, It's very necessary from now on, plz
KzumiZ Jul 20 @ 10:11pm 
+1 for full site SSL. It's really necessary.
BitInn Jul 20 @ 10:16pm 
I should mention: we understand the potential risk of enabling full site SSL. It's a tough decision and we believe going SSL is the better one, for both chinese and global users.
< >
Showing 1-15 of 174 comments
Per page: 15 30 50