Secure web/blockland communication

[Iban]

Figured.

Does Badspot have any sort of API for people other than Ephialtes?

[Ad Bot]

[Chrono]

I do not believe so, however, I'm sure if anyone made anything that actually needed it, he'd give it out.

[Tom]

I do not believe so, however, I'm sure if anyone made anything that actually needed it, he'd give it out.

Probably not. The API would give acess to sensitive information about users. Ephi gets it because Badspot trust him more than anyone else (maybe with the exception of Rotondo and kompressor).

[cucumberdude]

Well it might help to have a general idea of what you are trying to do, because in some scenarios you might be able to get a secure system figured out.

If you are trying to do something like this:
Client in web browser <-> web server <-> Blockland server
we might be able to think of an encryption sceme.

Or if th web server is going to be providing some kind of content, you can just notnsend the content unless all the authentication requirements have been fulfilled.

Blockland --> php (webserver)

data can later be accessed through a browser

[Destiny/Zack0Wack0]

Use POST instead of GET. I've heard it's slightly harder to intercept.
There are two ways you can go around it:
1) Assign the user a 'passcode' on a form, where they enter their BL_ID (no way to actually check they own it, though). They copy paste it into some GUI to set up their account. When you post information, post the passcode and the account & bl_id are figured out from that. Obviously this can still be intercepted, but if you're not hosting any important stuff then it's doubtful anyone will go out of their way to mess with it.

2) Make your own home-made encryption. Make the code extremely vague and try to mislead anyone. For example:

Code: [Select]

%a = "abcdefghijklmnopqrstuvwxyz0123456789";
%c = strLen(%a);
%d = strLen(%text);
for(%i=0;i<%d;%i++)
{
        %z = 2334213;
        %y = 13345773;
        %z = 666;
        //windows??
        %no = 1;
        %g = getSubStr(%text,%i,1);
        %h = strPos(%a,%g);
        while(%j)
        {
               %j = 0;
        }
        return %t;
}

OR, use both of them together. There's really nothing else you can do, Blockland has everything decompiled.

[Tom]

1) Assign the user a 'passcode' on a form, where they enter their BL_ID (no way to actually check they own it, though). They copy paste it into some GUI to set up their account. When you post information, post the passcode and the account & bl_id are figured out from that. Obviously this can still be intercepted, but if you're not hosting any important stuff then it's doubtful anyone will go out of their way to mess with it.

I think the OP's main concern is stopping people from sending fake stats. Something like this still doesn't stop them from modifying the script to always send that the player has pro status or something like that.

[Nexus]

Idea: have the online server send a confirmation code to the game server, then have the game server return that code.

[Ipquarx]

1 word, 3 letters.

P
H
P

The code can't be viewed by anyone other than the person who has the actuall .php files.
and second, have a peice of info associated with the blid itself, so they cant change it.

[Iban]

1 word, 3 letters.

Yeah, no stuff, except that the PHP isn't magic and cannot determine who is sending the information unless it has access to the Master Server. Relying on the client to be accurate isn't intelligent.

[Ipquarx]

have a verification system, that allows you to set some sort of personal identification (a pin sent to the real users email, ect.) and have them enter it every time they want to access it. (but of course, have them identify they really are that blid seperately.)

[Iban]

Yay! A log-in form that pops up every time you want to play Blockland! That's the very definition of convenient.

[Kalphiter]

The code can't be viewed by anyone other than the person who has the actuall .php files.
and second, have a peice of info associated with the blid itself, so they cant change it.

Ipquarx, get out.

[Kalphiter]

Probably not. The API would give acess to sensitive information about users. Ephi gets it because Badspot trust him more than anyone else (maybe with the exception of Rotondo and kompressor).

One way it could be done using an API:
(blid + IP?) ---> YES/NO

This works a lot better because you have to have an ID and IP beforehand and you really can't just make something up.

[cucumberdude]

Idea: have the online server send a confirmation code to the game server, then have the game server return that code.

Nope. Anyone can view (and therefore, copy) the ts code that returns the code.

[Nexus]

Nope. Anyone can view (and therefore, copy) the ts code that returns the code.

I have no idea what ts code is, but the entire concept of the data sent directly from the online server to the game server being completely public to everyone makes no sense to me.  The ONLY way to guarantee security is to have a direct communication between both of the servers, not just one sending data and the other accepting whatever data it recieves.  A code to be returned by the game server seems like a great idea to me.  I don't think that anyone could view and copy the random code if it isn't being sent to them.