WebApp Sec mailing list archives
Re: securing web based game
From: "Tim Aranki" <tim.aranki () dev-quest com>
Date: Mon, 23 Dec 2002 10:13:09 -0600
Hi, I am assuming that the FPS game is against some AI, and not other players online, is this correct? B/c, if it is real-time (it will definitely be slow over HTTP), then you are sending and receiving a lot of data to the client, and in that case, the easy/secure solution is to have the server determine if a point was made. My guess is that this is a stand-alone flash game that you would like users to play, and then have the score posted back to your server. This means that in you scenario, the client has a one-time download, and then no communication with the server until the game is completed, correct? In this case, you are facing the age-old question: "what is secure enough?" That is not a question I can answer for you, as you know best the ramifications of someone cheating on your game. The sessionID/hash that you are talking about it a solution that will stop the casual cheater, but not anyone who knows what they are doing, and has 10 minutes to spare. The problem you are facing is that any logic you put on the client side is going to be somewhat trivial to hack and leverage against you. This is why online games run off a central gaming server/cluster. Again, your security solution here will depend on "what is secure enough" for you. -tim ----- Original Message ----- From: "Tomas" <tomasg () extra lt> To: <webappsec () securityfocus com> Sent: Monday, December 23, 2002 2:31 AM Subject: Re: securing web based game
As far as I understood from your post, whenever game runs on a client-side and server just receives final data from client, there always will be a possibility to cheat. However, I want to _reduce_ that possibility to minimum. The game is something like an online shooter, so using direct connection or everytime verifying if target was hit isn't a good idea, because lag can occur. Nobody likes it :) So session ID + algorithm is the best idea so far. Isn't it? Tomas ----- Original Message ----- From: "Adam [ckkl]" <ckkl () poczta wp pl> Sent: Monday, December 23, 2002 2:12 AM Subject: Re: securing web based gamelet the server (instead of client) decide about the pointsMuch better, but still not good enough. The server will need some informations to calculate the gamepoints from and here we are again. Live with the certrainty that a gamer with to much time to spare will crack any system and concentrate on the gameplay instead.I would say that as far as server does everything and there's no "Joshua" hardcoded - it may be a quite safe solution what I meant above is that the server does the business logic and client is just a layer for presentation [a common solution nowadays] I agree of course, that there's always a way to cheat it just depends strictly on what kind of game it is for interactive games - it's virtually possible to write a bot to analyze server's sequence of data and to answer with a perfect match [f.ex. sequence of keystrokes to find a way out of a maze], for gambling ones /BJ, roulette, etc./ things are random and if done on the server, you are unable to do anything, because all you see is just the results hmm what a fascinating topic... going to find some online casino there must be some flaws :-PPPP Just my 5 bolivars... Best regards Adam
Current thread:
- securing web based game Tomas (Dec 22)
- Re: securing web based game Adam [ckkl] (Dec 22)
- Re: securing web based game Adrian Wiesmann (Dec 22)
- Re: securing web based game Adam [ckkl] (Dec 22)
- Re: securing web based game Tomas (Dec 23)
- Re: securing web based game Tim Aranki (Dec 23)
- Re: securing web based game Adrian Wiesmann (Dec 22)
- Re: securing web based game Adam [ckkl] (Dec 22)