Server Help

Trash Talk - Suggestion to Ekted
Qndre - Thu Mar 25, 2004 4:36 pm
Post subject: Suggestion to Ekted
OK, OK the Continuum encryption is very strong, but one thing I don't like about it is that it's much too weak to send a password through it. (I know every time we log in at a website our password is visible but in Continuum it's a known problem biggrin.gif while at the web, most people don't know.) Password thefts have been done by reading the "profile.dat" or by sniffing network packets. So my suggestion to you is to make the password encryption(like they are stored in Registry, "profile.dat" and sent to server) one-way- and SSL-like. Like MD5 at example. So you can't decrypt the passwords any more so you can't send them "unencrypted" (only secured by Continuum encryption) to the server and no software can easily decrypt them out of the "profile.dat" any more. So this means it would require a change in the server software, too. The server could just compare the two encrypted values instead of the original password, like almost every webserver with a database does. So people could trust in Continuum a bit more.
Once I typed my password I use for my webserver into Continuum's login and I changed it because I didn't really trust in Continuum (at some servers I actually saw my password transmitted unencrypted but that's another problem). A new encryption for the passwords would make it more secure. Mr Ekted, please talk to PriitK too because a change at the server side will be necessary if the idea would become true.
_
Thanks, Qndre
Mr Ekted - Thu Mar 25, 2004 5:24 pm
Post subject:
MD5 is not an encryption method. Learn before you speak.
Mine GO BOOM - Thu Mar 25, 2004 5:30 pm
Post subject:
The idea of encryption is so that you can revert the process to get the original password. If you would MD5 the password, a person who sniffs the packet would get this MD5'd password, and thus can just use that as a password if they wanted to steal it.

The way Continuum works is already how you are attempting to request. The password is only ever sent plain text one time, the first time you create your name. Afterwards, the password, for SSC zones, is hashed with the information the SSC billing server sends to the client. Thus, if you log into an SSC zone, even if it is running ASSS and you don't trust the sysop/coders of that zone, your password is secure, since ASSS would only see this hashed password. So as long as the Client and Billing server are closed sourced, logging into a zone with your password already created is safe from people sniffing between the client/billing server.

As to what you want for your software, if a new connection type is created for ASSS, people can use a seperate "spec" password. At some point in time, a user can tell the billing server (or that specific zone) to create a "spec" account with a new password. So, that way, their master password is secure with Continuum, while if someone steals their spec password, it would only work to talk in game. If done with ASSS, this could also allow a special banner or icon next to the name to signal that this is a spec client, and not a normal one.
Qndre - Fri Mar 26, 2004 9:00 am
Post subject:
Mr Ekted wrote:
MD5 is not an encryption method. Learn before you speak.

It's called an "encryption" everywhere but I know, it's actually a fingerprint (attention - not a checksum) algorithm.
_
Quote:

As Qndre is working on a new client, he has a couple of questions every so often. As it varies greatly over the course of his work, they don't fit any forum already created yet, so that is why this has been created.

As this may be a bit, please do not criticize his acts. He is working on a project, that when completed, will help the SS community. As a few people have seem to take it upon themselves to not help, this allows them to filter out this questions so they won't interfere with his work.

Good luck, Qndre.

First I thought this was a big joke and should make me stand outside the community, a new forum for my client...
But as I read this description it isn't meant to be mean but to help people to keep track of the content. So much thanks to you. biggrin.gif
_
Mine GO BOOM wrote:

If you would MD5 the password, a person who sniffs the packet would get this MD5'd password, and thus can just use that as a password if they wanted to steal it.

That's true. But for some people who don't care about security and use the same password everywhere... hackers just couldn't get the original passwort back as easy as they can at the moment (at least on some servers).
_
Quote:
the password, for SSC zones, is hashed

k, but is it one-way-hash or can you decrypt it?
Even if you can't, then it only works on SSC.
_
So I see... It won't help so forget about it! People who send their password to every server without any thinking about security shouldn't wonder if everyone has their passwords then. biggrin.gif
Cyan~Fire - Fri Mar 26, 2004 10:46 am
Post subject:
Qndre wrote:
Even if you can't, then it only works on SSC.

Well, as shown near the bottom of catid's site, subbill encryption is crap and can be reversed. However, by looking at Catid's code in his SSB2:
Code: Show/Hide
// One-way encryption algorithms
void HashPassword(BYTE * Password)


So, as long as a server is not running subbill, then your password is fine.
But, sadly, most small zones run on subbill. :'(
Qndre - Fri Mar 26, 2004 1:37 pm
Post subject:
Cyan~Fire wrote:
[..]
So, as long as a server is not running subbill, then your password is fine.
But, sadly, most small zones run on subbill. :'(

Sad but true.
All times are -5 GMT
View topic
Powered by phpBB 2.0 .0.11 © 2001 phpBB Group