tags:

views:

646

answers:

9
+3  Q: 

Is SSL really worth it?

I'm wondering if I should add an SSL layer between my server and client. I'm not handling any confidential data, but there is a very small chance someone might want to hack transmissions in order to gain intelligence (this is a game by the way). Now the ammounts of data to be processed is considerable when compared to a small website and although the added security might be nice the most likely hackers would be users themselves, so I feel SSL would be a waste of time, but would like to hear about others experiences.

Thanks

+8  A: 

This sounds like an optimization question. If you have information that you feel is valuable, start with SSL (a relatively easy security solution to try out). Once you have things working, benchmark the system with and without. If you feel that the performance hit is worth spending time on to try and optimize away, do that. If not, you're done!

Bob Cross  2008-11-25 15:54:55
+6  A: 

Are users logging in with a username and password? If so, I think it's worth protecting. After all, users may end up using a password that they use for secure purposes elsewhere. I know they shouldn't, but...

Now suppose someone's snooping on your unprotected conversation. They get the user's password for your site, use it to log into the sensitive site, and they're off...

If you don't want to encrypt the information (and I do understand it's a bit of a pain getting hold of a valid certificate etc) then it's worth at least making it very clear to users that their data is unencrypted, and emphatically urge them not to use a password they use elsewhere.

Jon Skeet  2008-11-25 15:54:57
No they don't. You don't need SSL to hash a username and password.
Brian  2008-11-25 15:56:37
Brian - that's rubbish! Hashing is only really useful at protecting the password in the database, since the username often needs to be sent as entered.
BrianLy  2008-11-25 16:01:03
I'm using openid, so I have no responsability about passwords, but your point is valid
Robert Gould  2008-11-25 16:02:11
Hashed passwords on the wire can be vulnerable to replay attacks. You can start a connection in SSL and then drop back to clear text after authentication. Sophisticated attackers can hijack an active session, but that's much harder than snooping credentials.
Darron  2008-11-25 16:02:15
Brian: Are you suggesting hashing the password in Javascript on the client side? That's relatively rare in my experience - and still vulnerable as Darron explained.
Jon Skeet  2008-11-25 16:09:45
@Darron: easy to solve: send a unique id/salt with each auth challenge/login page (keep track of used ids server-side, delete old ones), hash it with the credentials. Of course, client-side means JavaScript with its problems.
Piskvor  2008-11-25 16:22:02
If you pick the right hash function and salt it, transforming the hash back into a password shouldn't be an issue. And keep in mind that the only purpose of my hash suggestion was to keep people from stealing the password for use on other sites (e.g. bank passwords), not to make the game secure.
Brian  2008-11-25 16:32:38
+1  A: 

No. If player X is not between player Y and the server, the only data he can get by hacking the way you are talking about is data the server is sending to player X. And that data is not protectable at all, since his machine must be able to extract it anyways. You may as well just zip it rather than using SSL: the level of protection will not differ by much. Instead, just make sure you don't send player X any data that he should not have. It's unlikely for someone to use a man-in-the-middle type of attack on a game.

Brian  2008-11-25 15:55:36
This is about the same as I think, but haven't figured it all out yet
Robert Gould  2008-11-25 16:04:32
A: 

If the game is known to be other than fair because it is insecure, I'd worry that it would cease to be of interest to anyone but the cheaters.

Besides securing the data stream, is it possible to pare down what you're sending already? Or compress it?

bradheintz  2008-11-25 15:56:43
+1 as silly as it may seem I had forgotten to take this into account, thanks
Robert Gould  2008-11-25 16:05:59
+1  A: 

SSL should be used since you don't know what exploits or problems will occur in the future.

Confidentiality is only one way of considering whether you need SSL, if you are transmitting any personal data then I would want it secured. In some countries, you may be in breach of data protection laws by not using SSL.

There are other methods of protecting the data you transmit such as encrypting the payload with a PGP key before transmission and decrypting on the server.

BrianLy  2008-11-25 15:57:57
+6  A: 

If your worried about your clients hacking your data transmission ssl buys you nothing. Its channel security and if they own the client its relatively trivial to setup a man in the middle session where they can view your transmission unencrypted. If your worried about users hacking others users data transmissions then ssl is a good and relatively simple security measure.

Aaron Fischer  2008-11-25 16:02:15
Not if the client it properly checking the server's SSL key.
Brian C. Lane  2008-11-25 16:06:03
If they have access to the client, they can grab the SSL keys from memory (allowing them to set up undetectable man in the middle attacks easily), or just edit client data directly. So Aaron is right, SSL won't protect you from the users themselves.
jalf  2008-11-25 16:58:36
+1  A: 

More information is needed to make an intelligent decision, but you don't have to use SSL to secure your data. You could always use another algorithm and a shared secret between the client and server, or public/private keys. You would then have better control over which bits to secure and which bits to leave open.

In general things like logins should always be encrypted using SSL. You could exchange a new set of keys over the SSL channel and then switch to non-SSL using the keys to protect the sensitive data.

Brian C. Lane  2008-11-25 16:03:52
+1  A: 

SSL is considered by some to be a fix for a problem that (almost) doesn't exist. It's very hard to actually tap the wire and extract unencrypted information. Almost nobody does it.

If you look at the case of buying from an online store, what's a lot more likely to happen, is that they hack into the server, and download the entire database of transactions. In an ideal system, you would never even send your credit card credentials to the reseller, just a signed certificate from the credit card company stating that the transaction has already been authorized. However in the early days of the internet, that proved to be too difficult a system to set up, but it would have been the more correct solution. In the end they opted for the less effective, but easier to implement system.

Now on to your question. In your case, I can't see SSL offering much. If somebody want's to set up a program to monitor what is being sent to/from the network, it can still be done, as they can just place the hooks to capture the data before it's actually encrypted. If you're worried about third parties, or opponents they are playing against, sniffing the wire to figure out information about the game they shouldn't have access to, such as chat between teammates of the other team. Well, I would say the risk there is pretty minimal, and not worth addressing.

Kibbee  2008-11-25 16:06:43
It's not hard to do wire tapping if you're on the same LAN. That may not be an issue if you're at home, but it certainly is at school, work, or in an internet cafe.
Jon Skeet  2008-11-25 16:10:57
Maybe if the LAN Uses hubs, then it's possible. Or if you have access to the switches themselves. After that you have to comb through all the data, and if you're lucky, you'll get a couple credit card numbers. [continued]
Kibbee  2008-11-25 16:14:39
[continued] Much easier in a lot of cases to just attack the server, and steal thousands of credit card numbers in one fell swoop. That, or go dumpster diving for old hard drives.
Kibbee  2008-11-25 16:15:25
Think DNS hijacking. If they don't confirm that the SSL cert is correct (eg. using a self-signed certificate) then you can easily hijack their SSL session.
Brian C. Lane  2008-11-25 16:37:09
A: 

In addition to the notes about about encrypting usernames and passwords during transmission, SSL also prevents Man in the Middle attacks at the expense of adding overhead to every request.

The catch is that you must have some way of letting the client know that your particular certificate is valid... or more precisely, that it's the only valid one for your game.

Which also brings up the problem of how you tell the game when a new certificate replaces the old one after the old one expires.

Seriously, though, unless this is a subscription game of some sort, SSL is probably overkill.

R. Bemrose  2008-11-25 16:41:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security