Secure web/blockland communication

[Kalphiter]

I have no idea what ts code is, but the entire concept of the data sent directly from the online server to the game server being completely public to everyone makes no sense to me.  The ONLY way to guarantee security is to have a direct communication between both of the servers, not just one sending data and the other accepting whatever data it recieves.  A code to be returned by the game server seems like a great idea to me.  I don't think that anyone could view and copy the random code if it isn't being sent to them.

Destroy this idea in two words: Packet sniffers

[Ad Bot]

[cucumberdude]

Destroy this idea in two words: Packet sniffers

That's not even the first problem.

Anyone can copy the code that feeds the authorization code from the server into their own script.

server.cs pseudocode:

Code: [Select]

sendData($data);
recieveAuth($code);
sendBackAuth($code);

I can make my own server.cs that goes like this:

Code: [Select]

sendData($LOLFAKEDATA);
recieveAuth($code);
sendBackAuth($code);


[ZSNO]

Do you really think someone wants some silly Blockland data so bad that they would try and intercept it?

[Nexus]

Why would the online server be stupid enough to send the code to the same address that sent the data?  Can't the server filter out things that come from IPs other than your game server?

[Kalphiter]

If you want to prevent people from tampering data uploaded, forget it.

If you want to stop people from forging their BLID, you can attempt.

[cucumberdude]

Do you really think someone wants some silly Blockland data so bad that they would try and intercept it?

That's not the problem.

I don't care if they see the data. I care if they upload bad data.

Why would the online server be stupid enough to send the code to the same address that sent the data?  Can't the server filter out things that come from IPs other than your game server?

Ok, you are obviously not getting this. This is an ADD-ON. It will be used on people's servers. If I wanted to make this private, none of this stuff would even be an issue. So yes, the webserver can detect IP address. But that means exactly NOTHING.

[Nexus]

That's not the problem.

I don't care if they see the data. I care if they upload bad data.
Ok, you are obviously not getting this. This is an ADD-ON. It will be used on people's servers. If I wanted to make this private, none of this stuff would even be an issue. So yes, the webserver can detect IP address. But that means exactly NOTHING.

Ok, now that the information that this is a public addon is available to me, but now I don't understand why you want to encode data.  If someone wanted to send BS data, whoop de doop thats fine, there is no way to differentiate good data from bad data, but the way the data will be saved will be by IP, so they cannot screw with data that is from an honest server.

   client bob's variable "queerness" went from 12 to 13 on your server
   game tells online server new information
   online server recieves data and saves it by IP recieved
   bob wants to cheat and set his queerness back to 0, so he copies the code and properly tells the online server his information
   online server recieves data and saves it under Bob's IP, but not the server's
   bob still has a queerness value of 13, but if he hosts his server, it will be 0 there.

Where is the issue here?  The only issue I see is that if you want to track a player's stats across all servers with your addon, which means making this secure is impossible, because servers lie.

[cucumberdude]

Ok, now that the information that this is a public addon is available to me, but now I don't understand why you want to encode data.  If someone wanted to send BS data, whoop de doop thats fine, there is no way to differentiate good data from bad data, but the way the data will be saved will be by IP, so they cannot screw with data that is from an honest server.

   client bob's variable "queerness" went from 12 to 13 on your server
   game tells online server new information
   online server recieves data and saves it by IP recieved
   bob wants to cheat and set his queerness back to 0, so he copies the code and properly tells the online server his information
   online server recieves data and saves it under Bob's IP, but not the server's
   bob still has a queerness value of 13, but if he hosts his server, it will be 0 there.

Where is the issue here?  The only issue I see is that if you want to track a player's stats across all servers with your addon, which means making this secure is impossible, because servers lie.

That. Doesn't make sense.

[cucumberdude]

no wait i see

the problem is Nexus, that I don't trust the server

[Nexus]

no wait i see

the problem is Nexus, that I don't trust the server

I have to make assumptions on how your addon works, but correct me if the following doesn't apply

In order for the basic functionality of the mod to work, the game server tells the online server what the client has done.

There is already a 100% dependence on trust right here.  You just have to accept that people can send bad data.  As long as the data is saved by IP, honest servers can keep their honest data, and lying servers can go troll themselves to death with their crap data.

[Greek2me]

What if you have the BL server encrpyt a message, like "This is a proper request". Then you have the webserver decrypt it, and if the message is correct (and it was encrypted properly), it's accepted.

[Nexus]

What if you have the BL server encrpyt a message, like "This is a proper request". Then you have the webserver decrypt it, and if the message is correct (and it was encrypted properly), it's accepted.

No, all a lying server has to do is use the addon that cucumberdude made, make absolutely no changes to it, and use it to send false data to the server.  All the data is created locally, and anything local can be easily faked without any way to tell if data is good or bad.

Addon used properly:
   bob plays in server actively
   bob's skill goes from 3 to 4
   server goes through an extensive process of encrypting the data and sending it to the webserver along with some verification codes to ensure that the server is actually using the addon, along with 62 other steps to ensure that the data was not faked

Addon not used properly
   bob gets the addon and opens a server
   bob opens the console and calls the function that levels him from 3 to 4
   server goes through an extensive process of encrypting the data and sending it to the webserver along with some verification codes to ensure that the server is actually using the addon, along with 62 other steps to ensure that the data was not faked


do you see the unavoidable issue?  The only thing you have to differentiate the data is the IP

[Destiny/Zack0Wack0]

People are richards and they will abuse it, and there's absolutely no way for you to stop them in Torque. Sorry.

[cucumberdude]

People are richards and they will abuse it, and there's absolutely no way for you to stop them in Torque. Sorry.

:c

oh well

its too bad we can't like, make our own .dso files or something

though I guess that would make it more difficult for new modders to learn, and would hide malicious code :/

[Kalphiter]

its too bad we can't like, make our own .dso files or something

You have no reason to do this.

It will always be vulnerable and it is not worth your time. Just remove violators from the service.