Writing a secure client/server with open source

simo simo.sorce at xsec.it
Sun Apr 20 13:32:27 UTC 2008


On Sun, 2008-04-20 at 11:12 +0200, edA-qa mort-ora-y wrote:
> The question comes to the identity of the "Client".  Basically I want
> to
> server an official client, let's call it "WhatNots".  Now, the source
> if
> completely open, and I wish to encourage everybody to make their own
> version of "WhatNots", but I don't want those copies to be able to
> identify as the official client with the score server.
> 
> I know this problem in the commercial game world, basically the one of
> preventing cheaters.  But that world has the advantage of using
> obfuscation in their authentication algorithms.
> 
> > You should try to answer the following questions:
> > What data needs to be secured?
> 
> The integrity of the scoring data on the server.  It wishes only to
> accept scoring data from authorized clients (that is, the official
> game
> clients).
> 
> > Where is that data is stored?
> 
> On the server.
> 
> > Where is that data is being transferred from/to?
> 
> Produced by the client, transferred to the server.
> 
> > Who is that data is being secured from?
> 
> People with unathorized clients attempting to give themselves inflated
> scores.

You have a trust problem, and there is no other way to solve it than to
eliminate the problem of trust or to fully trust.

An easy solution (in term of trust) is to remove the problem. Never
trust the client, always compute whatever you need to trust only server
side.

If you need to trust the client for other reasons (performance for
example), then the only way to fully trust it is by using a trust
computing platform against the users, something free software does not
really like to do unless there is agreement from the user.





More information about the Discussion mailing list