Fwd: Writing a secure client/server with open source

David Gerard dgerard at gmail.com
Sun Apr 20 11:25:35 UTC 2008

to list as well.

---------- Forwarded message ----------
From: David Gerard <dgerard at gmail.com>
Date: 20 Apr 2008 12:25
Subject: Re: Writing a secure client/server with open source
To: edA-qa mort-ora-y <eda-qa at disemia.com>

On 20/04/2008, edA-qa mort-ora-y <eda-qa at disemia.com> wrote:
 > Andy wrote:

 >  > The general consensus is "The attacker already knows the algorithm" thus
 >  > revealing the source should not be a problem. Compilation is NOT a
 >  > secure way of hiding something anyway.

 > I agree, but at least it prevents casual abuse of the server.  That is,
 >   a bit of obfuscation is likely enough to rid the game of the majority
 >  of cheaters or abusers.  I agree it does nothing to deter the hardcore
 >  attacker.

It does nothing to stop them either, because their code can be copied
 and used by others. "Secure client" is fundamentally an oxymoron. See
 http://en.wikipedia.org/wiki/Trusted_client (which I rewrote a while
 ago to try to explain this simple point which nevertheless
 consistently evades people). You can't give people the secret and also
 keep it from them - it's *impossible*.

 If you want this to work, you have to make the *protocols* proof
 against cheats, e.g. only allowing a certain number of actions per
 time or whatever. Come up with a protocol that would still work if
 every single player had a copy of the protocol and could implement an
 optimal bot client for it ... because that's what they can do anyway.

 - d.

More information about the Discussion mailing list