Maybe we can use this thread to list the security of various web items and the ease of stealing info from them (ie., if they're encrypted innately, etc).
Maybe we can use this thread to list the security of various web items and the ease of stealing info from them (ie., if they're encrypted innately, etc).
Well, anything sent via plaintext, like pretty much all unencrypted traffic can easily be copied/read/manipulated. Even if you encrypt on the client end, via hashing or whatnot, and send it to the server, to which the server, which then sends back an encrypted (but still plaintext) reply, someone could just sniff these packets, and create a sort of emulator for your server, and just send the same packets upon request.
One method would be some sort of double expectant code, a result that is time sensitive by nature, like a highly encrypted/hashed text stream that has a date/time + predictable, yet unique token that could only be used once, based of its immediate environment, but both the client and the server would have to be synced WITHOUT a connection, sort of like an atomic clock, so neither authentication could be faked, i.e. someone sniffing the client sending packets, and recording the server replay to give a duplicate auth, or a the server being tricked into replying to a false client.
It all really falls down to acceptable loss, and good programming. Does you app/game need auth/anti-piracy? Will the user base require actual protection, or will it remain obscure enough that minimal/no security will go unnoticed?
In all honesty, much of this could be easily solved by an updated GET object that supports SSL, or a cross-platform network/http object, that also supports TSL/SSL. The packets could be sniffed all they want, but they will only get unique hash text, the salt gets regenerated with every 'handshake' on SSL, so it would pretty much solve all of this, with a minimal performance hit on servers.
The number one rule of security in the digital age, ALWAYS assume your user has the worst of malicious intention, and work backward from their. Never think "Oh, they won't notice" or "Oh, its only a tiny hole". If you're going to do security, go full out on it, otherwise it just creates another useless hoop a real end-user must jump through.
Posting Permissions
Reply With Quote