banimod / etpro / ettv forums

Bani's Discussion Forums
https://bani.anime.net/banimod/forums/

Module improving security

https://bani.anime.net/banimod/forums/viewtopic.php?f=17&t=6977

Page 1 of 1

Module improving security

Posted: Mon May 31, 2010 3:42 am
by X-DOS
Hi,
I'm developing at the University a module to improve security in online games (the implementation is based on W:ET).
The server-side is partly done - it's working as a proxy between ET engine and ET mod (like ETPro). Currently it supports clients groups (levels of privileges), assigning to them access to server commands (with inheritance) and banning by networks' addresses with CIDR.
I would base client authentication and authorization on GnuPG (or SSL) - as GUIDs can be changed and cheater could easily gain access to server.
The problem is emerging: needs of client-side to handle authentication of an admin/player. The client can be cheated by dishonest server admin, forcing him (the client) to download a faked module, which could steal the key and log the passphrase typed by the player.
Does someone have any ideas how to prevent this?
Thanks in advance for any hints.

Posted: Fri Jul 09, 2010 10:11 am
by Micha!
I don't know

(I only want to be polite and answer you :P )

Posted: Wed Nov 24, 2010 9:24 pm
by Kamel
I'm a bit confused of your implementation, but if I understand you right basically what you're concerned about is...

Server admin for ServerA joins ServerB
Server admin for ServerB tricks ServerA admin to downloading a client which poses a security threat to ServerA admin.

Is this what you're getting at? If so, it would be easy to fix by forcing user user to agree to sending a userid/pass to the server.

If what you're worried about is someone hacking ServerA and changing things to trick a client, sounds to me like you'd have bigger worries at that point? Perhaps I'm misunderstanding you.

Posted: Sat Dec 25, 2010 5:41 pm
by X-DOS
Thanks for the reply.

Let's use a following example:
Alice has a server. She signed some players' certificates. Players use them to prove their identities to the Alice's server with my module.
Bob has it's own server too. He want to posses some valid certificates. When players are connecting to his server, he can force them to download his faked module which will act like mine but will steal private keys and logs players' pass-phrases.

I have done some brainstorming already with friends and people from #etpro and #iowolfet (thanks a lot to them). Generally it's trivial to cheat a client and there is no good solution. Some ideas I have by now:
- cl_allowdownload 0 (not everyone will like it)
- whitelist of trusted modules verified by ET client engine (such feature doesn't exist)
- using my service as a daemon that will starts and performs authentication procedures before ET's module loading (requires manual download)
- one-time passwords/tokens from certified website (centralization; need of visiting the website every time you want to join a server - it's lame)

Thanks in advance for any hints
All times are UTC-08:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited