| View previous topic :: View next topic |
| Author |
Message |
X-DOS
Joined: 17 May 2008
Posts: 19
Location: United World
|
 Posted: Mon May 31, 2010 3:42 am Post subject: Module improving security |
 |
|
Hi,
I'm developing at the University a module to improve security in online games (the implementation is based on W:ET).
The server-side is partly done - it's working as a proxy between ET engine and ET mod (like ETPro). Currently it supports clients groups (levels of privileges), assigning to them access to server commands (with inheritance) and banning by networks' addresses with CIDR.
I would base client authentication and authorization on GnuPG (or SSL) - as GUIDs can be changed and cheater could easily gain access to server.
The problem is emerging: needs of client-side to handle authentication of an admin/player. The client can be cheated by dishonest server admin, forcing him (the client) to download a faked module, which could steal the key and log the passphrase typed by the player.
Does someone have any ideas how to prevent this?
Thanks in advance for any hints. |
|
| Back to top |
|
 |
Micha!
Joined: 23 Oct 2008
Posts: 17
|
| Posted: Fri Jul 09, 2010 10:11 am Post subject: |
|
|
I don't know
(I only want to be polite and answer you  ) |
|
| Back to top |
|
|
Kamel
Joined: 28 Sep 2003
Posts: 278
Location: Florida
|
| Posted: Wed Nov 24, 2010 9:24 pm Post subject: |
|
|
I'm a bit confused of your implementation, but if I understand you right basically what you're concerned about is...
Server admin for ServerA joins ServerB
Server admin for ServerB tricks ServerA admin to downloading a client which poses a security threat to ServerA admin.
Is this what you're getting at? If so, it would be easy to fix by forcing user user to agree to sending a userid/pass to the server.
If what you're worried about is someone hacking ServerA and changing things to trick a client, sounds to me like you'd have bigger worries at that point? Perhaps I'm misunderstanding you.
_________________
"Common sense isn't very common." |
|
| Back to top |
|
|
X-DOS
Joined: 17 May 2008
Posts: 19
Location: United World
|
| Posted: Sat Dec 25, 2010 5:41 pm Post subject: |
|
|
Thanks for the reply.
Let's use a following example:
Alice has a server. She signed some players' certificates. Players use them to prove their identities to the Alice's server with my module.
Bob has it's own server too. He want to posses some valid certificates. When players are connecting to his server, he can force them to download his faked module which will act like mine but will steal private keys and logs players' pass-phrases.
I have done some brainstorming already with friends and people from #etpro and #iowolfet (thanks a lot to them). Generally it's trivial to cheat a client and there is no good solution. Some ideas I have by now:
- cl_allowdownload 0 (not everyone will like it)
- whitelist of trusted modules verified by ET client engine (such feature doesn't exist)
- using my service as a daemon that will starts and performs authentication procedures before ET's module loading (requires manual download)
- one-time passwords/tokens from certified website (centralization; need of visiting the website every time you want to join a server - it's lame)
Thanks in advance for any hints |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
