MT Server-Client Communication encrypted ?
- Krock
- Developer
- Posts: 4650
- Joined: Thu Oct 03, 2013 07:48
- GitHub: SmallJoker
- Location: Switzerland
- Contact:
Re: MT Server-Client Communication encrypted ?
Why? Do you plan to share your credit card details on a server?
Look, I programmed a bug for you. >> Mod Search Engine << - Mods by Krock - DuckDuckGo mod search bang: !mtmod <keyword here>
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Google it if you want to know why. I am sure there are plenty of reasons.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
CSM security.Krock wrote:Why?
-
- Member
- Posts: 58
- Joined: Wed Aug 03, 2016 08:09
- GitHub: SlackCoyote
- In-game: SlackCoyote
Re: MT Server-Client Communication encrypted ?
Probably one wants to send government's super secret documents through minetest. Or he is probably a terrorist.Krock wrote:Why? Do you plan to share your credit card details on a server?
Slackware64 14.2, MT 0.4.16. My best mod.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Or simply because one does not want to have arbitrary code to be injected and then be executed within the Lua environment of Minetest mods?Reedych wrote:Probably one wants to send government's super secret documents through minetest. Or he is probably a terrorist.
Or just because it is 2018 and no-one in the right mind wants unencrypted connections to servers of any kind?
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
I am pretty sure I'm not a terrorist...
Boom !
BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity
Boom !
BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Both is true when not encrypting the traffic.LMD wrote:BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity
-
- Member
- Posts: 58
- Joined: Wed Aug 03, 2016 08:09
- GitHub: SlackCoyote
- In-game: SlackCoyote
Re: MT Server-Client Communication encrypted ?
I can suggest also certificates.LMD wrote:I am pretty sure I'm not a terrorist...
Boom !
BTW, such a connection would probably allow 3rds to (a) just insert junk/malicious stuff into connection or (b) identify clients + monitor their activity
Slackware64 14.2, MT 0.4.16. My best mod.
Re: MT Server-Client Communication encrypted ?
Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.
Last but not least, what's happening between you and any server is nobody's business. Period.
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.
Last but not least, what's happening between you and any server is nobody's business. Period.
A man much wiser than me once said: "go away, you are bothering me"
-
- Member
- Posts: 58
- Joined: Wed Aug 03, 2016 08:09
- GitHub: SlackCoyote
- In-game: SlackCoyote
Re: MT Server-Client Communication encrypted ?
Good arguments!Vapalus wrote:Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.
Last but not least, what's happening between you and any server is nobody's business. Period.
Slackware64 14.2, MT 0.4.16. My best mod.
Re: MT Server-Client Communication encrypted ?
Not really. Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.Reedych wrote:Good arguments!Vapalus wrote:Without google:
1) Not encrypting the connection would make the server vulnerable to Denial Of Service attacks. If anybody asks "why", the short answer is "IP spoofing" and the long answer is very long. Yes, IP spoofing is still possible on the internet.
2) Encryption also makes it less feasable to disconnect other players by sending wrong pakets in their name. That means encryption stabilizes the connection between client and server.
Last but not least, what's happening between you and any server is nobody's business. Period.
Let me tell a little tale: for years, the package manager of the Emacs text editor was fetching the source of some packages from a wiki that was publicly editable. Anyone could have modified those packages without even having to sign in on the wiki. For those who don't know it, Emacs is feature-rich and relatively popular editor. By modifying a package, one could have easily wiped whole hard disks, or sent its contents to a server, or encrypted those files and asked for a ransom. But it never happened, as far as I know. It's only because of the recent misfortunes of package managers for really popular software that Emacs users became worried about this issue.
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Security is more relevant today than it was years ago ! BTW, you wouldnt know if some hackers made some bad stuff, for example, copying all data...
SECURITY BY OBSCURITY IS NEVER A GOOD IDEA ! AND ENCRYPTION REALLY ISNT HARD !
SECURITY BY OBSCURITY IS NEVER A GOOD IDEA ! AND ENCRYPTION REALLY ISNT HARD !
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Bad analogy. A better one is: “… is like saying ‘I’m not locking my door because there weren’t any burglars in my neighborhood so far’.”Astrobe wrote:Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.
Re: MT Server-Client Communication encrypted ?
The example I gave isn't for years ago; the popular Emacs package repo began to take action a few months ago.
"You never know" is the typical FUD one finds when security is discussed online. Aside from script kiddies and other annoyances, real bad guys are looking for profits for their efforts in creating, dissimulating and spreading their malware.
There's very little to be gained from eavesdropping a Minetest connection. Even tampering with it is probably not worth it. There's certainly more to gain from setting up honeypot servers that would exploit some vulnerabilities of the clients to perform remote code execution.
Encryption isn't hard... For those who don't have to implement it. As a starting point, do you have suggestions about which multi-platform encryption library one could use?
But it's less about difficulty than about computer resources. Some people run Minetest on small devices, and encryption isn't free. Beyond CPU cycles, it's also more bytes exchanged on the wires and longer connection times because of key exchange.
"You never know" is the typical FUD one finds when security is discussed online. Aside from script kiddies and other annoyances, real bad guys are looking for profits for their efforts in creating, dissimulating and spreading their malware.
There's very little to be gained from eavesdropping a Minetest connection. Even tampering with it is probably not worth it. There's certainly more to gain from setting up honeypot servers that would exploit some vulnerabilities of the clients to perform remote code execution.
Encryption isn't hard... For those who don't have to implement it. As a starting point, do you have suggestions about which multi-platform encryption library one could use?
But it's less about difficulty than about computer resources. Some people run Minetest on small devices, and encryption isn't free. Beyond CPU cycles, it's also more bytes exchanged on the wires and longer connection times because of key exchange.
Re: MT Server-Client Communication encrypted ?
This analogy is pretty common but is actually terrible, because it doesn't balance risks and costs. Not locking your door is a risk you take, but you gain next to nothing from it.Linuxdirk wrote:Bad analogy. A better one is: “… is like saying ‘I’m not locking my door because there weren’t any burglars in my neighborhood so far’.”Astrobe wrote:Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
You mean nothing except random people who can walk in and stealing my stuff and don’t even need to break anything for that?Astrobe wrote:This analogy is pretty common but is actually terrible, because it doesn't balance risks and costs. Not locking your door is a risk you take, but you gain next to nothing from it.
Re: MT Server-Client Communication encrypted ?
No. I was talking about the gain associated with the risk taken, you are talking about the loss associated with the risk taken. Of course your analogy is designed in such a way that the hope of gain is 0 at best. It is terrible because it is often used in situations where this is not the case (see my previous post about what we gain from not encrypting our traffic and add to it the fact that when a dev works on it, they don't work on gameplay-related features). It is used to play on the aversion people naturally have against risk and uncertainty.
- LMD
- Member
- Posts: 1397
- Joined: Sat Apr 08, 2017 08:16
- GitHub: appgurueu
- IRC: appguru[eu]
- In-game: LMD
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
I am convinced our fellow devs would manage to switch to some network traffic encryption library in less than a week.
It's nothing new, therefore there are multiple good choices, such as SSL : http://info.ssl.com/article.aspx?id=10241
It's nothing new, therefore there are multiple good choices, such as SSL : http://info.ssl.com/article.aspx?id=10241
Re: MT Server-Client Communication encrypted ?
And the rest of the arguments?Astrobe wrote: Not really. Saying "what's happening between you and any server is nobody's business" so we should encrypt is like saying that all building in Europe should resist magnitude 8 earthquakes. That's not really helpful.
You disapprove of something I didn't even use as an actual argument but as a booster, and try to counter the real arguments by talking about something off topic in a way that has not much to do with encryption.
So, what does an opensource concept of some editor have to do with the network security of a server? It sounds very far fetched up to now.
And, to counter the only thing those two have in common:
Even if most people are nice people, I wouldn't give some stranger my car keys.
Even if I'm sure this piece of road is straight, I wouldn't drive blindfolded.
Even if nobody is driving that highway right now, I wouldn't let my children play on it.
Most people are actually nice people, who want to help, that is true. But if there is nothing to prevent people from breaking into systems, all those nice people will be terrorized by one stupid guy. That's definitely not worth the risk, because it gives those power who don't deserve it.
A man much wiser than me once said: "go away, you are bothering me"
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
C'mon guys ... are we really discussing whether encryption is good or bad?
It is ALWAYS good. A connection that is not encrypted lacks an important security feature. No matter if the encryption is used to transfer positional data for an online game or checking the bank account.
Minecraft does not use encryption. The fact that is does not use it makes it less secure. There is nothing to discuss, that is a fact. The issue can only be solved by encrypting the connection.
It is ALWAYS good. A connection that is not encrypted lacks an important security feature. No matter if the encryption is used to transfer positional data for an online game or checking the bank account.
Minecraft does not use encryption. The fact that is does not use it makes it less secure. There is nothing to discuss, that is a fact. The issue can only be solved by encrypting the connection.
- rubenwardy
- Moderator
- Posts: 6978
- Joined: Tue Jun 12, 2012 18:11
- GitHub: rubenwardy
- IRC: rubenwardy
- In-game: rubenwardy
- Location: Bristol, United Kingdom
- Contact:
Re: MT Server-Client Communication encrypted ?
The communication should be encrypted as it avoids MITM attacks, but in real terms it's not going to be that big of an issue as Minetest isn't that common and becoming a MITM is hard without being on the same network. TL;DR: I'm in favour but it's not as bad as an issue as you say it is.
There is actually an exception to this - aptitude repositories are served over HTTP because it allows the creation of local mirrors, and is no less secure because packages are signed. Using HTTPs wouldn't be any more private as you could find out the package using the size.Linuxdirk wrote:It is ALWAYS good.
Re: MT Server-Client Communication encrypted ?
This is a protocol, not a library. OpenSSL is a library. Furthermore, SSL is over TCP while Minetest, as far as I know, uses UDP.LMD wrote:I am convinced our fellow devs would manage to switch to some network traffic encryption library in less than a week.
It's nothing new, therefore there are multiple good choices, such as SSL : http://info.ssl.com/article.aspx?id=10241
- Linuxdirk
- Member
- Posts: 3219
- Joined: Wed Sep 17, 2014 11:21
- In-game: Linuxdirk
- Location: Germany
- Contact:
Re: MT Server-Client Communication encrypted ?
Arch Linux allows creating local repositories, too. And it also supports HTTPS repositories. Your argument is invalid.rubenwardy wrote:aptitude repositories are served over HTTP because it allows the creation of local mirrors,
Re: MT Server-Client Communication encrypted ?
Of course nobody would take risks for nothing. If you refuse to go beyond this argument level, there's no point in talking. Please someone at least attack my argument on the overhead encryption introduces.Vapalus wrote:Astrobe wrote: And, to counter the only thing those two have in common:
Even if most people are nice people, I wouldn't give some stranger my car keys.
Even if I'm sure this piece of road is straight, I wouldn't drive blindfolded.
Even if nobody is driving that highway right now, I wouldn't let my children play on it.
Who is online
Users browsing this forum: No registered users and 40 guests