Author Topic: Secure web/blockland communication (Read 4404 times)

cucumberdude · May 11, 2011, 08:23:17 PM

Hey all.

I understand how to use httpobject to send post data. However, what if I want to make the connection 'secure'?

For example, let's say I want to send some thru torque data like so:

Code: [Select]

website.com/data.php?blid=4709&ispro=falseBut, if I'm a clever little weasel, I could just type this into my browser:

Code: [Select]

website.com/data.php?blid=4709&ispro=true
How do I confirm where the data is coming from? IE, how do I make sure that someone isn't loving with it?

Thanks.

Ad Bot · Advertisement

Greek2me · May 11, 2011, 08:29:28 PM

Crypto of some sort?

cucumberdude · May 11, 2011, 08:40:30 PM

Quote from: Greek2me on May 11, 2011, 08:29:28 PM

Crypto of some sort?

Explain further.

Keep in mind that I want the script to be secure even from the inside.

That is, people will be able to see the TS.

Iban · May 11, 2011, 08:42:18 PM

Nothing will really keep people from sending bogus data.

Apparently Ephialtes has some sort of security system, but I'm almost certain that he is able to just block input from users whom he has determined is sending crap to the server after the fact.

Greek2me · May 11, 2011, 08:44:44 PM

Quote from: cucumberdude on May 11, 2011, 08:40:30 PM

Explain further.

I've got no idea how you'd do it, but could you add encryption somehow?

cucumberdude · May 11, 2011, 09:41:12 PM

Quote from: Iban on May 11, 2011, 08:42:18 PM

Nothing will really keep people from sending bogus data.

Apparently Ephialtes has some sort of security system, but I'm almost certain that he is able to just block input from users whom he has determined is sending crap to the server after the fact.

Hmm, okay.

Is there any way to like, encrypt the server.cs files or something so that people can't see their contents?

Iban · May 11, 2011, 09:43:22 PM

The only way to do that is to use the compile("scriptname"); function, but only when the Engine is configured to allow it. The only time the Engine is in such a state is pre-update, when Badspot recompiles all his scripts into .cs.dso format. The reason we cannot use the .cs.dso functionality is because people have in the past, and most certainly would, use it to obfuscate nasty functionality from Badspot.

Your only choice is to be really clever or to forgo whatever you're planning because it seems like a bad idea anyways.

Tom · May 11, 2011, 10:02:45 PM

Quote from: Iban on May 11, 2011, 08:42:18 PM

Apparently Ephialtes has some sort of security system, but I'm almost certain that he is able to just block input from users whom he has determined is sending crap to the server after the fact.

Ephi has access to the master authentication server, so he probably uses that as part of his security system. Kalphiter probably knows a lot about the details of Ephi's system, because he's probably attempted to get around it.

cucumberdude · May 11, 2011, 10:22:02 PM

Quote from: Iban on May 11, 2011, 09:43:22 PM

The only way to do that is to use the compile("scriptname"); function, but only when the Engine is configured to allow it. The only time the Engine is in such a state is pre-update, when Badspot recompiles all his scripts into .cs.dso format. The reason we cannot use the .cs.dso functionality is because people have in the past, and most certainly would, use it to obfuscate nasty functionality from Badspot.

Your only choice is to be really clever or to forgo whatever you're planning because it seems like a bad idea anyways.

So encrypting the files is not an option, then.

"forgo whatever you're planning because it seems like a bad idea"
You can't possibly know that. I mean, I haven't even stated in the vaguest terms what my idea is, apart from the fact that it requires web functionality :/

As far as being clever goes - does that mean you have an idea? If so, please share!

otto-san · May 11, 2011, 10:29:26 PM

Encrypt it better.

hv000=false
rather than
ispro=false
for instance.

Tom · May 11, 2011, 10:37:29 PM

First of all, changing the names of the HTTP variables is in no way encryption. Second, it wouldn't even do anything. It would still just take some looking at the script and some trail and error to figure out what everything does.

Iban · May 11, 2011, 10:57:18 PM

It'd be like changing my forum name to otto-san and yours to Iban. It might be a tad confusing, but based on avatars, posting style, etc, people would figureit out.

cucumberdude · May 11, 2011, 10:57:34 PM

Quote from: otto-san on May 11, 2011, 10:29:26 PM

Encrypt it better.

hv000=false
rather than
ispro=false
for instance.

People will have access to the .cs

Basically, what Tom said.

Tom · May 12, 2011, 12:01:08 AM

Well it might help to have a general idea of what you are trying to do, because in some scenarios you might be able to get a secure system figured out.

If you are trying to do something like this:
Client in web browser <-> web server <-> Blockland server
we might be able to think of an encryption sceme.

Or if th web server is going to be providing some kind of content, you can just notnsend the content unless all the authentication requirements have been fulfilled.

Chrono · May 12, 2011, 12:19:01 AM

Quote from: Iban on May 11, 2011, 08:42:18 PM

Nothing will really keep people from sending bogus data.

Apparently Ephialtes has some sort of security system, but I'm almost certain that he is able to just block input from users whom he has determined is sending crap to the server after the fact.

It authenticates with the master server via IP and ID.