Re: securing web based game

["Tim Aranki" <tim.aranki () dev-quest com>]

Hi,
I am assuming that the FPS game is against some AI, and not other players
online, is this correct?  B/c, if it is real-time (it will definitely be
slow over HTTP), then you are sending and receiving a lot of data to the
client, and in that case, the easy/secure solution is to have the server
determine if a point was made.

My guess is that this is a stand-alone flash game that you would like users
to play, and then have the score posted back to your server.  This means
that in you scenario, the client has a one-time download, and then no
communication with the server until the game is completed, correct?

In this case, you are facing the age-old question: "what is secure enough?"
That is not a question I can answer for you, as you know best the
ramifications of someone cheating on your game.  The sessionID/hash that you
are talking about it a solution that will stop the casual cheater, but not
anyone who knows what they are doing, and has 10 minutes to spare.

The problem you are facing is that any logic you put on the client side is
going to be somewhat trivial to hack and leverage against you.  This is why
online games run off a central gaming server/cluster.  Again, your security
solution here will depend on "what is secure enough" for you.

-tim

----- Original Message -----
From: "Tomas" <tomasg () extra lt>
To: <webappsec () securityfocus com>
Sent: Monday, December 23, 2002 2:31 AM
Subject: Re: securing web based game


> As far as I understood from your post, whenever game runs on a client-side
> and server just receives final data from client, there always will be a
> possibility to cheat. However, I want to _reduce_ that possibility to
> minimum. The game is something like an online shooter, so using direct
> connection or everytime verifying if target was hit isn't a good idea,
> because lag can occur. Nobody likes it :) So session ID + algorithm is the
> best idea so far. Isn't it?
>
>
> Tomas
>
>
> ----- Original Message -----
> From: "Adam [ckkl]" <ckkl () poczta wp pl>
> Sent: Monday, December 23, 2002 2:12 AM
> Subject: Re: securing web based game
>
>
> > > > let the server (instead of client) decide about the points
> > > Much better, but still not good enough. The server will need some
> > > informations to calculate the gamepoints from and here we are again.
> > >
> > > Live with the certrainty that a gamer with to much time to spare will
> > > crack any system and concentrate on the gameplay instead.
> >
> > I would say that as far as server does everything and there's no
> > "Joshua" hardcoded - it may be a quite safe solution
> > what I meant above is that the server does the business logic
> > and client is just a layer for presentation [a common solution
> > nowadays]
> >
> > I agree of course, that there's always a way to cheat
> > it just depends strictly on what kind of game it is
> > for interactive games - it's virtually possible to write
> > a bot to analyze server's sequence of data and to answer
> > with a perfect match [f.ex. sequence of keystrokes to
> > find a way out of a maze],
> > for gambling ones /BJ, roulette, etc./ things are random
> > and if done on the server, you are unable to do anything,
> > because all you see is just the results
> >
> > hmm what a fascinating topic...
> > going to find some online casino
> > there must be some flaws :-PPPP
> >
> > Just my 5 bolivars...
> > Best regards
> > Adam