Writing a secure client/server with open source

edA-qa mort-ora-y eda-qa at disemia.com
Sun Apr 20 09:12:27 UTC 2008

Andy wrote:
> The general consensus is "The attacker already knows the algorithm" thus
> revealing the source should not be a problem. Compilation is NOT a
> secure way of hiding something anyway.

I agree, but at least it prevents casual abuse of the server.  That is,
 a bit of obfuscation is likely enough to rid the game of the majority
of cheaters or abusers.  I agree it does nothing to deter the hardcore

> Protect from whom? This is in fact one of the most important questions.
> If your just trying to protect a users login details then it's unlikely
> they are going to try to breach their own security (and it's their own
> fault if they do).

I can make this clearer, there are three "entities" involved:
1. The Server
2. The Client
3. The Player

The server has no problem with identity, it knows who it is.  The Player
will authenticate with a known safe protocol (HTTPS and MD5 password
possibly), and will be prompted for his password when he connects.

The question comes to the identity of the "Client".  Basically I want to
server an official client, let's call it "WhatNots".  Now, the source if
completely open, and I wish to encourage everybody to make their own
version of "WhatNots", but I don't want those copies to be able to
identify as the official client with the score server.

I know this problem in the commercial game world, basically the one of
preventing cheaters.  But that world has the advantage of using
obfuscation in their authentication algorithms.

> You should try to answer the following questions:
> What data needs to be secured?

The integrity of the scoring data on the server.  It wishes only to
accept scoring data from authorized clients (that is, the official game

> Where is that data is stored?

On the server.

> Where is that data is being transferred from/to?

Produced by the client, transferred to the server.

> Who is that data is being secured from?

People with unathorized clients attempting to give themselves inflated

edA-qa mort-ora-y
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
The dis-Emi-A haXe Library -- all you'd ever need to make Flash games
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Sign: Please digitally sign your emails.
Encrypt: I'm also happy to receive encrypted mail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20080420/824176a0/attachment.sig>

More information about the Discussion mailing list