Jump to content
Eternal Lands Official Forums

Recommended Posts

I was wondering if there was any possible to connect to the server using SSL or another form of encryption? Currently, all the data sent to the server is sent as plaintext - That is, if anyone is sniffing your packets and you type in your username and password and click send, the sniffer can see exactly what you sent.

 

Using encryption would be very good, and it shouldn't be too hard to implement (Either a public key or a private key). It just means all your data is sent encryped, and secure.

Share this post


Link to post
Share on other sites
IMHO we don't need full data encryption, just something to protect the initial name/password and when you change your password. We could use something simple like CRAM-MD5 challenge-response authentication. That would offer enough protection for playing on a public wifi etc. I'd happily implement the client side....

 

That would address my concerns. Thank you.

Share this post


Link to post
Share on other sites
IMHO we don't need full data encryption, just something to protect the initial name/password and when you change your password.

agree,

Share this post


Link to post
Share on other sites
IMHO we don't need full data encryption, just something to protect the initial name/password and when you change your password.

agree,

 

On the other hand, it wouldnt hurt to crypt the whole traffic with a simple algorithm, something similar to ROT13 might do it.

 

CRYPT

z=1;
for(t=2;t<len;t++){  // don't crypt the length of the buffer (2 bytes)
  a=buff[t];
  a=a+z;
  z++;
  if(z>42) z=1;
  if(a>256) a=a-256;
  buff[t]=a;
}

DECRYPT

z=1;
for(t=2;t<len;t++){  // don't decrypt the length of the buffer (2 bytes)
  a=buff[t];
  a=a-z;
  z++;
  if(z>42) z=1;
  if(a<0) a=a+256;
  buff[t]=a;
}

 

This way we might even solve the problem of nosy virus scanners analyzing the data stream and shutting down the connection, because they think, its a trojan phoning home.

 

And, everything is unreadable, no chance for easy packet sniffing \ö/

 

Piper

Share this post


Link to post
Share on other sites

Exactly what fear could I have of people sniffing packets that reveal that I just killed a Yeti? :bow_arrow:

 

I guess a low-overhead crypt to address the algorithmic virus scanners isn't a bad idea... considering that, I guess, just telling people "run Linux" isn't really an acceptable solution for it.

Share this post


Link to post
Share on other sites
Exactly what fear could I have of people sniffing packets that reveal that I just killed a Yeti? :bow_arrow:

 

You might not want that every packet sniffer could read your chat that easily.

 

Privacy is the keyword.

 

Piper

Edited by The_Piper

Share this post


Link to post
Share on other sites

True. Especially when I'm n00bing out and telling people my password over PM like I did the other day (true story).

 

edit:

but, low-overhead pl0x.

Edited by Korrode

Share this post


Link to post
Share on other sites

Encryption wont stop any trojans though, they'll just read the user/password from the keyboard driver.. :bow_arrow: And if someone somehow got a packet sniffer onto your PC, odds is they could just as easily get a trojan there.

Share this post


Link to post
Share on other sites
Encryption wont stop any trojans though, they'll just read the user/password from the keyboard driver.. :bow_arrow: And if someone somehow got a packet sniffer onto your PC, odds is they could just as easily get a trojan there.

 

With the difference that a packet sniffer doesn't have to be on your PC, it just needs access to your network packets (another PC on the same hub would work just fine, for instance, not to mention unsecured WiFi networks)

Share this post


Link to post
Share on other sites

All it needs is one server on your traffic route to games.eternal-lands.com to be corrupted (before your game signal gets to the gameserver it hits at least 2 depending on where you live multiple times that much servers. if that server is compromised, or is standing in a badly configured server park. Then you may have a problem.

I had one time a server standing in a serverpark where when i put my networkcard into listening mode, could get all traffic packets from over 300 servers. the stuff i got during my 3 minutes test, included even the root password in clear text, of the gateway server (all traffic to any server at this park goes over this computer) of this serverpark. Needless to say that i left that serverpark for a more secure one. But the problem exists more often then one wants to admit it. so a base encryption should be the least that can be done.

Share this post


Link to post
Share on other sites
All it needs is one server on your traffic route to games.eternal-lands.com to be corrupted (before your game signal gets to the gameserver it hits at least 2 depending on where you live multiple times that much servers. if that server is compromised, or is standing in a badly configured server park. Then you may have a problem.

I had one time a server standing in a serverpark where when i put my networkcard into listening mode, could get all traffic packets from over 300 servers. the stuff i got during my 3 minutes test, included even the root password in clear text, of the gateway server (all traffic to any server at this park goes over this computer) of this serverpark. Needless to say that i left that serverpark for a more secure one. But the problem exists more often then one wants to admit it. so a base encryption should be the least that can be done.

If you can listen in on 300 server, get a new ISP! It's the switches, routers, and cables that are involved and any reasonable ISP will only give you traffic that belongs to you. Even a basic switch without configuration by default only sends the packets to the proper cable to route to the next node. If you can see 300 systems, that means they either use hubs or tried to configure their hardware and totally messed up. If it's a Virtual Server, then the network handler is acting like a hub, not a switch, so the same thing applies.

 

My ISP for example only sends down my wire my IP address range I have.

Share this post


Link to post
Share on other sites

I know the why i could see it all. Thats why i changed the company where my server was put on then. My point with that story was, normal people cannot be sure who sees what of the internet traffic they produce.

An other example i play the game with a regular ping of 30-40 ms. if i do a traceroute i have over 30 other computers in the list who all get the traffic i produce with the game. each of those computers could be hacked, and set up to sniff data for things like possible usernames and passwords. IF one of those Servers is connected with switches to other computers, they would not even be hacked themself to get that kind of data and there are legitim reasons why they can be connected in that way (sophisitcated server security protocols ideas are sometimes based on them).

It is clear i am trying to construct cases on how user data can be looked out, and then missused. The chances are small that out of the many servers in the internet that routes traffic, one that you uses is connected or hacked in a way that those datas are looked, out, and then the person/group doing it is actually interrested in EL, and stealing chars. its just a possibility that an encryption of at least the username password transfer could close

Share this post


Link to post
Share on other sites
I know the why i could see it all. Thats why i changed the company where my server was put on then. My point with that story was, normal people cannot be sure who sees what of the internet traffic they produce.

An other example i play the game with a regular ping of 30-40 ms. if i do a traceroute i have over 30 other computers in the list who all get the traffic i produce with the game. each of those computers could be hacked, and set up to sniff data for things like possible usernames and passwords. IF one of those Servers is connected with switches to other computers, they would not even be hacked themself to get that kind of data and there are legitim reasons why they can be connected in that way (sophisitcated server security protocols ideas are sometimes based on them).

It is clear i am trying to construct cases on how user data can be looked out, and then missused. The chances are small that out of the many servers in the internet that routes traffic, one that you uses is connected or hacked in a way that those datas are looked, out, and then the person/group doing it is actually interrested in EL, and stealing chars. its just a possibility that an encryption of at least the username password transfer could close

I wasn't trying to speak out against trying to encrypt. Just concerned with the traffic you saw in your tests.

 

People do need to remember that ANYTHING on the internet is exposed to risks of various levels, and in some parts of the world the simplicity of capturing traffic is much easier then in others.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×