MT Server-Client Communication encrypted ?

User avatar
LMD
Member
 
Posts: 508
Joined: Sat Apr 08, 2017 08:16
Location: Somewhere over the Rainbow : Bonn, Germany
GitHub: appgurueu
In-game: LMD + PRO_LMD + Limo
 

User avatar
Krock
Developer
 
Posts: 4053
Joined: Thu Oct 03, 2013 07:48
Location: Switzerland
GitHub: SmallJoker

Re: MT Server-Client Communication encrypted ?

by Krock » Mon May 21, 2018 16:35

Why? Do you plan to share your credit card details on a server?
Mod Search Engine - Mods by Krock - DuckDuckGo mod search bang: !mtmod <keyword here>
 

User avatar
LMD
Member
 
Posts: 508
Joined: Sat Apr 08, 2017 08:16
Location: Somewhere over the Rainbow : Bonn, Germany
GitHub: appgurueu
In-game: LMD + PRO_LMD + Limo
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk
 

Reedych
Member
 
Posts: 58
Joined: Wed Aug 03, 2016 08:09
GitHub: SlackCoyote
In-game: SlackCoyote

Re: MT Server-Client Communication encrypted ?

by Reedych » Tue May 22, 2018 13:50

Krock wrote:Why? Do you plan to share your credit card details on a server?

Probably one wants to send government's super secret documents through minetest. Or he is probably a terrorist.
Slackware64 14.2, MT 0.4.16. My best mod.
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Tue May 22, 2018 13:54

Reedych wrote:Probably one wants to send government's super secret documents through minetest. Or he is probably a terrorist.

Or simply because one does not want to have arbitrary code to be injected and then be executed within the Lua environment of Minetest mods?

Or just because it is 2018 and no-one in the right mind wants unencrypted connections to servers of any kind?
 

User avatar
LMD
Member
 
Posts: 508
Joined: Sat Apr 08, 2017 08:16
Location: Somewhere over the Rainbow : Bonn, Germany
GitHub: appgurueu
In-game: LMD + PRO_LMD + Limo

Re: MT Server-Client Communication encrypted ?

by LMD » Tue May 22, 2018 14:16

I am pretty sure I'm not a terrorist...
Boom !
BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Tue May 22, 2018 14:39

LMD wrote:BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity

Both is true when not encrypting the traffic.
 

Reedych
Member
 
Posts: 58
Joined: Wed Aug 03, 2016 08:09
GitHub: SlackCoyote
In-game: SlackCoyote

Re: MT Server-Client Communication encrypted ?

by Reedych » Wed May 23, 2018 08:11

LMD wrote:I am pretty sure I'm not a terrorist...
Boom !
BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity

I can suggest also certificates.
Slackware64 14.2, MT 0.4.16. My best mod.
 

User avatar
Vapalus
Member
 
Posts: 109
Joined: Wed Nov 15, 2017 17:16

Re: MT Server-Client Communication encrypted ?

by Vapalus » Thu May 24, 2018 09:02

Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.

Last but not least, what's happening between you and any server is nobody's business. Period.
A man much wiser than me once said: "go away, you are bothering me"
 

Reedych
Member
 
Posts: 58
Joined: Wed Aug 03, 2016 08:09
GitHub: SlackCoyote
In-game: SlackCoyote

Re: MT Server-Client Communication encrypted ?

by Reedych » Thu May 24, 2018 14:50

Vapalus wrote:Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.

Last but not least, what's happening between you and any server is nobody's business. Period.

Good arguments!
Slackware64 14.2, MT 0.4.16. My best mod.
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Fri May 25, 2018 23:27

Reedych wrote:
Vapalus wrote:Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.

Last but not least, what's happening between you and any server is nobody's business. Period.

Good arguments!


Not really. Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.

Let me tell a little tale: for years, the package manager of the Emacs text editor was fetching the source of some packages from a wiki that was publicly editable. Anyone could have modified those packages without even having to sign in on the wiki. For those who don't know it, Emacs is feature-rich and relatively popular editor. By modifying a package, one could have easily wiped whole hard disks, or sent its contents to a server, or encrypted those files and asked for a ransom. But it never happened, as far as I know. It's only because of the recent misfortunes of package managers for really popular software that Emacs users became worried about this issue.
 

User avatar
LMD
Member
 
Posts: 508
Joined: Sat Apr 08, 2017 08:16
Location: Somewhere over the Rainbow : Bonn, Germany
GitHub: appgurueu
In-game: LMD + PRO_LMD + Limo

Re: MT Server-Client Communication encrypted ?

by LMD » Sat May 26, 2018 09:41

Security is more relevant today than it was years ago ! BTW, you wouldnt know if some hackers made some bad stuff, for example, copying all data...
SECURITY BY OBSCURITY IS NEVER A GOOD IDEA ! AND ENCRYPTION REALLY ISNT HARD !
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Sat May 26, 2018 11:55

Astrobe wrote:Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.

Bad analogy. A better one is: “… is like saying ‘I’m not locking my door because there weren’t any burglars in my neighborhood so far’.”
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Sat May 26, 2018 12:21

The example I gave isn't for years ago; the popular Emacs package repo began to take action a few months ago.

"You never know" is the typical FUD one finds when security is discussed online. Aside from script kiddies and other annoyances, real bad guys are looking for profits for their efforts in creating, dissimulating and spreading their malware.

There's very little to be gained from eavesdropping a Minetest connection. Even tampering with it is probably not worth it. There's certainly more to gain from setting up honeypot servers that would exploit some vulnerabilities of the clients to perform remote code execution.

Encryption isn't hard... For those who don't have to implement it. As a starting point, do you have suggestions about which multi-platform encryption library one could use?

But it's less about difficulty than about computer resources. Some people run Minetest on small devices, and encryption isn't free. Beyond CPU cycles, it's also more bytes exchanged on the wires and longer connection times because of key exchange.
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Sat May 26, 2018 12:29

Linuxdirk wrote:
Astrobe wrote:Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.

Bad analogy. A better one is: “… is like saying ‘I’m not locking my door because there weren’t any burglars in my neighborhood so far’.”


This analogy is pretty common but is actually terrible, because it doesn't balance risks and costs. Not locking your door is a risk you take, but you gain next to nothing from it.
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Sat May 26, 2018 15:58

Astrobe wrote:This analogy is pretty common but is actually terrible, because it doesn't balance risks and costs. Not locking your door is a risk you take, but you gain next to nothing from it.

You mean nothing except random people who can walk in and stealing my stuff and don’t even need to break anything for that?
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Sun May 27, 2018 16:33

No. I was talking about the gain associated with the risk taken, you are talking about the loss associated with the risk taken. Of course your analogy is designed in such a way that the hope of gain is 0 at best. It is terrible because it is often used in situations where this is not the case (see my previous post about what we gain from not encrypting our traffic and add to it the fact that when a dev works on it, they don't work on gameplay-related features). It is used to play on the aversion people naturally have against risk and uncertainty.
 

User avatar
LMD
Member
 
Posts: 508
Joined: Sat Apr 08, 2017 08:16
Location: Somewhere over the Rainbow : Bonn, Germany
GitHub: appgurueu
In-game: LMD + PRO_LMD + Limo

Re: MT Server-Client Communication encrypted ?

by LMD » Sun May 27, 2018 17:11

I am convinced our fellow devs would manage to switch to some network traffic encryption library in less than a week.
It's nothing new, therefore there are multiple good choices, such as SSL : http://info.ssl.com/article.aspx?id=10241
 

User avatar
Vapalus
Member
 
Posts: 109
Joined: Wed Nov 15, 2017 17:16

Re: MT Server-Client Communication encrypted ?

by Vapalus » Mon May 28, 2018 07:37

Astrobe wrote:Not really. Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.

And the rest of the arguments?
You disapprove of something I didn't even use as an actual argument but as a booster, and try to counter the real arguments by talking about something off topic in a way that has not much to do with encryption.
So, what does an opensource concept of some editor have to do with the network security of a server? It sounds very far fetched up to now.

And, to counter the only thing those two have in common:
Even if most people are nice people, I wouldn't give some stranger my car keys.
Even if I'm sure this piece of road is straight, I wouldn't drive blindfolded.
Even if nobody is driving that highway right now, I wouldn't let my children play on it.

Most people are actually nice people, who want to help, that is true. But if there is nothing to prevent people from breaking into systems, all those nice people will be terrorized by one stupid guy. That's definitely not worth the risk, because it gives those power who don't deserve it.
A man much wiser than me once said: "go away, you are bothering me"
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Mon May 28, 2018 12:15

C'mon guys ... are we really discussing whether encryption is good or bad?

It is ALWAYS good. A connection that is not encrypted lacks an important security feature. No matter if the encryption is used to transfer positional data for an online game or checking the bank account.

Minecraft does not use encryption. The fact that is does not use it makes it less secure. There is nothing to discuss, that is a fact. The issue can only be solved by encrypting the connection.
 

User avatar
rubenwardy
Moderator
 
Posts: 5422
Joined: Tue Jun 12, 2012 18:11
Location: United Kingdom
GitHub: rubenwardy
IRC: rubenwardy
In-game: rubenwardy

Re: MT Server-Client Communication encrypted ?

by rubenwardy » Mon May 28, 2018 12:55

The communication should be encrypted as it avoids MITM attacks, but in real terms it's not going to be that big of an issue as Minetest isn't that common and becoming a MITM is hard without being on the same network. TL;DR: I'm in favour but it's not as bad as an issue as you say it is.

Linuxdirk wrote:It is ALWAYS good.


There is actually an exception to this - aptitude repositories are served over HTTP because it allows the creation of local mirrors, and is no less secure because packages are signed. Using HTTPs wouldn't be any more private as you could find out the package using the size.
Core Developer | Donate | My Twitter | Mods | Mods 4 Android | Node Box Editor | Minetest Modding Book

Hello profile reader

LgiOxMFYXOqtqVqMPhbw1Bn3oNRvEC7j
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Mon May 28, 2018 16:51

LMD wrote:I am convinced our fellow devs would manage to switch to some network traffic encryption library in less than a week.
It's nothing new, therefore there are multiple good choices, such as SSL : http://info.ssl.com/article.aspx?id=10241


This is a protocol, not a library. OpenSSL is a library. Furthermore, SSL is over TCP while Minetest, as far as I know, uses UDP.
 

User avatar
Linuxdirk
Member
 
Posts: 1551
Joined: Wed Sep 17, 2014 11:21
Location: Germany
In-game: Linuxdirk

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Mon May 28, 2018 17:03

rubenwardy wrote:aptitude repositories are served over HTTP because it allows the creation of local mirrors,

Arch Linux allows creating local repositories, too. And it also supports HTTPS repositories. Your argument is invalid.
 

Astrobe
Member
 
Posts: 116
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Mon May 28, 2018 17:03

Vapalus wrote:
Astrobe wrote:And, to counter the only thing those two have in common:
Even if most people are nice people, I wouldn't give some stranger my car keys.
Even if I'm sure this piece of road is straight, I wouldn't drive blindfolded.
Even if nobody is driving that highway right now, I wouldn't let my children play on it.


Of course nobody would take risks for nothing. If you refuse to go beyond this argument level, there's no point in talking. Please someone at least attack my argument on the overhead encryption introduces.
 

Next

Return to General Discussion



Who is online

Users browsing this forum: No registered users and 4 guests