Fwd: Writing a secure client/server with open source
David Gerard
dgerard at gmail.com
Sun Apr 20 11:25:35 UTC 2008
to list as well.
---------- Forwarded message ----------
From: David Gerard <dgerard at gmail.com>
Date: 20 Apr 2008 12:25
Subject: Re: Writing a secure client/server with open source
To: edA-qa mort-ora-y <eda-qa at disemia.com>
On 20/04/2008, edA-qa mort-ora-y <eda-qa at disemia.com> wrote:
> Andy wrote:
> > The general consensus is "The attacker already knows the algorithm" thus
> > revealing the source should not be a problem. Compilation is NOT a
> > secure way of hiding something anyway.
> I agree, but at least it prevents casual abuse of the server. That is,
> a bit of obfuscation is likely enough to rid the game of the majority
> of cheaters or abusers. I agree it does nothing to deter the hardcore
> attacker.
It does nothing to stop them either, because their code can be copied
and used by others. "Secure client" is fundamentally an oxymoron. See
http://en.wikipedia.org/wiki/Trusted_client (which I rewrote a while
ago to try to explain this simple point which nevertheless
consistently evades people). You can't give people the secret and also
keep it from them - it's *impossible*.
If you want this to work, you have to make the *protocols* proof
against cheats, e.g. only allowing a certain number of actions per
time or whatever. Come up with a protocol that would still work if
every single player had a copy of the protocol and could implement an
optimal bot client for it ... because that's what they can do anyway.
- d.
More information about the Discussion
mailing list