Secure web/blockland communication

[Red_Guy]

No, all a lying server has to do is use the addon that cucumberdude made, make absolutely no changes to it, and use it to send false data to the server.  All the data is created locally, and anything local can be easily faked without any way to tell if data is good or bad.

Addon used properly:
   bob plays in server actively
   bob's skill goes from 3 to 4
   server goes through an extensive process of encrypting the data and sending it to the webserver along with some verification codes to ensure that the server is actually using the addon, along with 62 other steps to ensure that the data was not faked

Addon not used properly
   bob gets the addon and opens a server
   bob opens the console and calls the function that levels him from 3 to 4
   server goes through an extensive process of encrypting the data and sending it to the webserver along with some verification codes to ensure that the server is actually using the addon, along with 62 other steps to ensure that the data was not faked

do you see the unavoidable issue?  The only thing you have to differentiate the data is the IP

The root of the problem here is that your trusting the client.  This is how most game cheats and hacks get started.
You should not even allow the client to tell the server "my level is now 5".   Instead the client says "I swung at the zombie".  Then the server figures out what happened, and sends the result back: "1 killed, 300 to go until you are level 5".  The server is also responsible for keeping things reasonable.  theres nothing to stop bob the hacker from writing a script that tells the server "I swung at the zombie" 10,000 times.  but all the server has to do is send back something like "zombie is dead, cant attack it"  or other checks.


What is it you want to store on your server where your worried about people sending bad data?

[Ad Bot]

[Nexus]

The root of the problem here is that your trusting the client.  This is how most game cheats and hacks get started.
You should not even allow the client to tell the server "my level is now 5".   Instead the client says "I swung at the zombie".  Then the server figures out what happened, and sends the result back: "1 killed, 300 to go until you are level 5".  The server is also responsible for keeping things reasonable.  theres nothing to stop bob the hacker from writing a script that tells the server "I swung at the zombie" 10,000 times.  but all the server has to do is send back something like "zombie is dead, cant attack it"  or other checks.


What is it you want to store on your server where your worried about people sending bad data?

That is already how blockland works, but there exists a function that is called when the zombie is killed.  The host can type that function into the console and cheat like that.

[Ephialtes]

The host can type that function into the console and cheat like that.

Whether or not the host wants to cheat on their own server is up to them - that's entirely irrelevant to what everyone's talking about. I think you're misunderstanding.

[DontCare4Free]

The simplest thing to do is to check on the server if the user agent is "Torque/1.0".
Of course it can be forged, but it's at least better than nothing.

[Nexus]

Whether or not the host wants to cheat on their own server is up to them - that's entirely irrelevant to what everyone's talking about. I think you're misunderstanding.

My understanding of how this is supposed to work has changed a few times, but since this is a webserver thing that involves potentially many servers, having a cheating server in there is just like having a hacking client in a server.

[Destiny/Zack0Wack0]

My understanding of how this is supposed to work has changed a few times, but since this is a webserver thing that involves potentially many servers, having a cheating server in there is just like having a hacking client in a server.

Except in this case, even if the mod is server-side only, the client or the host will still be able to cheat data and ruin it for the rest of the users.