MT Server-Client Communication encrypted ?

Astrobe
Member
Posts: 328
Joined: Sun Apr 01, 2018 10:46

Re: MT Server-Client Communication encrypted ?

by Astrobe » Post

rubenwardy wrote:The communication should be encrypted as it avoids MITM attacks, but in real terms it's not going to be that big of an issue as Minetest isn't that common and becoming a MITM is hard without being on the same network.
I believe people playing over WIFI could be in that situation (honeypot WIFI hotspots). But what would be the point anyway? There's no micro-payment, there's no precious account credentials... Being MITM'd in the context of Minetest would almost be an honor: you have skilled enemies.

User avatar
Linuxdirk
Member
Posts: 2741
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Post

Astrobe wrote:But what would be the point anyway?
You have the permissions of the user account running Minetest. You could then sneak in a server-sent client-side mod farming your favorite crypto currency in the RAM of the user (pretty much limited because of LuaJIT’s memory limit but still a possible attack vector). Then have the mod send the result back to the server but grab the packets and redirect the result to your machine. Multiply by Minetest players worldwide.

Or try to break out of the sandbox (the used LuaJIT version is several years old) and run arbitrary code in user context.

User avatar
Vapalus
Member
Posts: 112
Joined: Wed Nov 15, 2017 17:16

Re: MT Server-Client Communication encrypted ?

by Vapalus » Post

Astrobe wrote: Of course nobody would take risks for nothing. If you refuse to go beyond this argument level, there's no point in talking.
There is people who take risks for nothing.
This is why women live longer than men.
Astrobe wrote: Please someone at least attack my argument on the overhead encryption introduces.
CryptoPP::AES::Encryption aesEncryption(key, CryptoPP::AES::DEFAULT_KEYLENGTH);
CryptoPP::CBC_Mode_ExternalCipher::Encryption cbcEncryption( aesEncryption, iv );

CryptoPP::StreamTransformationFilter stfEncryptor(cbcEncryption, new CryptoPP::StringSink( ciphertext ) );
stfEncryptor.Put( reinterpret_cast<const unsigned char*>( plaintext.c_str() ), plaintext.length() + 1 );
stfEncryptor.MessageEnd();
Done.

Also, this one is one of the more complicated examples.
A man much wiser than me once said: "go away, you are bothering me"

User avatar
sfan5
Moderator
Posts: 3962
Joined: Wed Aug 24, 2011 09:44
GitHub: sfan5
IRC: sfan5
Location: Germany

Re: MT Server-Client Communication encrypted ?

by sfan5 » Post

Reminder that encryption without authentication is useless.
If you don't add something like TLS certificates, MITM is still equally possible.
Linuxdirk wrote:the used LuaJIT version is several years old
source?
Vapalus wrote:
CryptoPP::AES::Encryption aesEncryption(key, CryptoPP::AES::DEFAULT_KEYLENGTH);
CryptoPP::CBC_Mode_ExternalCipher::Encryption cbcEncryption( aesEncryption, iv );

CryptoPP::StreamTransformationFilter stfEncryptor(cbcEncryption, new CryptoPP::StringSink( ciphertext ) );
stfEncryptor.Put( reinterpret_cast<const unsigned char*>( plaintext.c_str() ), plaintext.length() + 1 );
stfEncryptor.MessageEnd();
Done.
Also, this one is one of the more complicated examples.
AES-CBC, no MAC (or AEAD). Congratulations, you fail.

Besides, Astrobe was talking about the size overhead of encryption, not its implementation.
Mods: Mesecons | WorldEdit | Nuke & Minetest builds for Windows (32-bit & 64-bit)

User avatar
Linuxdirk
Member
Posts: 2741
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Post

sfan5 wrote:
Linuxdirk wrote:the used LuaJIT version is several years old
source?
“we are using latest 5.1.4 which is 4 years old” - nerzul on Github.

https://github.com/minetest/minetest/is ... -359457813

User avatar
sfan5
Moderator
Posts: 3962
Joined: Wed Aug 24, 2011 09:44
GitHub: sfan5
IRC: sfan5
Location: Germany

Re: MT Server-Client Communication encrypted ?

by sfan5 » Post

Linuxdirk wrote:
sfan5 wrote:“we are using latest 5.1.4 which is 4 years old” - nerzul on Github.

https://github.com/minetest/minetest/is ... -359457813
This is the version of the imported Lua codebase we have in Minetest, not LuaJIT.
Most builds, including the official Windows ones, use LuaJIT 2.1.0-beta3 which was released in May last year.
Mods: Mesecons | WorldEdit | Nuke & Minetest builds for Windows (32-bit & 64-bit)

User avatar
Linuxdirk
Member
Posts: 2741
Joined: Wed Sep 17, 2014 11:21
In-game: Linuxdirk
Location: Germany
Contact:

Re: MT Server-Client Communication encrypted ?

by Linuxdirk » Post

Mmmh, okay ... Then the used Lua version is several years old. That changes the attack vector but does not close it.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests