banimod / etpro / ettv forums Forum Index banimod / etpro / ettv forums
Bani's Discussion Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Module improving security

 
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Modding
View previous topic :: View next topic  
Author Message
X-DOS



Joined: 17 May 2008
Posts: 19
Location: United World

PostPosted: Mon May 31, 2010 3:42 am    Post subject: Module improving security Reply with quote

Hi,
I'm developing at the University a module to improve security in online games (the implementation is based on W:ET).
The server-side is partly done - it's working as a proxy between ET engine and ET mod (like ETPro). Currently it supports clients groups (levels of privileges), assigning to them access to server commands (with inheritance) and banning by networks' addresses with CIDR.
I would base client authentication and authorization on GnuPG (or SSL) - as GUIDs can be changed and cheater could easily gain access to server.
The problem is emerging: needs of client-side to handle authentication of an admin/player. The client can be cheated by dishonest server admin, forcing him (the client) to download a faked module, which could steal the key and log the passphrase typed by the player.
Does someone have any ideas how to prevent this?
Thanks in advance for any hints.
Back to top
View user's profile Send private message Visit poster's website
Micha!



Joined: 23 Oct 2008
Posts: 17

PostPosted: Fri Jul 09, 2010 10:11 am    Post subject: Reply with quote

I don't know

(I only want to be polite and answer you Razz )
Back to top
View user's profile Send private message
Kamel



Joined: 28 Sep 2003
Posts: 278
Location: Florida

PostPosted: Wed Nov 24, 2010 9:24 pm    Post subject: Reply with quote

I'm a bit confused of your implementation, but if I understand you right basically what you're concerned about is...

Server admin for ServerA joins ServerB
Server admin for ServerB tricks ServerA admin to downloading a client which poses a security threat to ServerA admin.

Is this what you're getting at? If so, it would be easy to fix by forcing user user to agree to sending a userid/pass to the server.

If what you're worried about is someone hacking ServerA and changing things to trick a client, sounds to me like you'd have bigger worries at that point? Perhaps I'm misunderstanding you.
_________________
"Common sense isn't very common."
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
X-DOS



Joined: 17 May 2008
Posts: 19
Location: United World

PostPosted: Sat Dec 25, 2010 5:41 pm    Post subject: Reply with quote

Thanks for the reply.

Let's use a following example:
Alice has a server. She signed some players' certificates. Players use them to prove their identities to the Alice's server with my module.
Bob has it's own server too. He want to posses some valid certificates. When players are connecting to his server, he can force them to download his faked module which will act like mine but will steal private keys and logs players' pass-phrases.

I have done some brainstorming already with friends and people from #etpro and #iowolfet (thanks a lot to them). Generally it's trivial to cheat a client and there is no good solution. Some ideas I have by now:
- cl_allowdownload 0 (not everyone will like it)
- whitelist of trusted modules verified by ET client engine (such feature doesn't exist)
- using my service as a daemon that will starts and performs authentication procedures before ET's module loading (requires manual download)
- one-time passwords/tokens from certified website (centralization; need of visiting the website every time you want to join a server - it's lame)

Thanks in advance for any hints
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Modding All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group