views:

1349

answers:

7

Anyone know what the trend is with MMORPG developers encryption their client/server protocols these days?

The pro's and con's are as follows.

Encrypting protocol:

  • protects trade secrets regarding client/server protocol to a degree?
  • Botting isn't stopped, it is only changed because people will create bots which read screen states and trigger mouse+keyboard events will then be developed, merely mitigating the development of bots as opposed to stopping them in anyway. Still though bot development is less in supply somewhat, but the demand is still there, they merely get higher bids on rentacoder.com

Regular plain text:

  • more advanced bots since the developers are able to inject their own datagrams into the client/server protocol. (ie: running through walls, teleporting... which the server side has to now check, which in turn leads to a development contest between out patching exploits via injection (time consuming)
A: 

The main reason why developers should add encryption to their protocols is marketing reasons. They simply just need to ensure that their server will be only one (for example if they will (or already) want to make paid membership) and no one will just write his own emulator of server after discovering of protocol and will offer it for free.

Dmitriy Matveev
1)That would require a lot of development/time.2)The encryption doesn't prevent them from reading what is in memoery before it is encrypted and written out to a socket. They could still emulate a server, again takes a lot of time.
Zombies
1) writing a free server for mmos has been done in the past.2) yes.Also I'm also not quite sure what you're asking in the original question.
skirmish
+2  A: 

At the very least, the MMO's login protocol should be encrypted so that people on the player's network can't packet sniff their account information.

This reason can easily be extended to other data the player sends. For example, chat with other players can contain sensitive information. If the game is already going through the trouble of setting up an encryption protocol for the login process, there's probably not a lot of reason to turn it off after you're done.

fastcall
+3  A: 

Adding encryption to your packets will only slow a person writing a bot by oh, a few seconds. Your client would need to know how to encrypt to send data to the server and how to decrypt data from the server, and so would the bot.

With regards to preventing warping through walls, you should be doing these checks always. Never trust the user's input, even if you've written the client yourself.

As fastcall mentioned, you should still implement encryption of some data. Specifically the ones containing sensitive data, like logins and chat.

Samuel
A: 

I was under the impression that none of the major MMOs used encrypted data transport. As Samuel said, you don't really get any security out of it since the client has to be able to encrypt and decrypt the data too.

Coxy
+7  A: 

@Samuel & coxymla:

That's not entirely true. If the protocol uses asynchronous encryption where the server's private key is unknown to the client, then the bot cannot decrypt the client's egress. This means that to modify the outgoing data, the bot actually has to hook the game process and intercept the data before it's encrypted.

It's simple enough in theory, but it can be technically challenging. At least you're raising the bar for attackers.

@Zombies: Beyond initial key exchange, most encryption schemes do not require extra data transfer. Further, while there is extra work to be done when encryption is used, the data transfer will most certainly be limited by the network and not the processor.

Put plainly, encryption does not lead to slower/more data transfer.

Cautionary note: This Wikipedia page contains a story about a common encryption mistake made by the developers of Phantasy Star Online. It's worth a read.

Or a hacker could locate the public key used to encrypt the data and use that in a bot to properly communicate with the server.
Andreas Magnusson
If the client is going to use the encrypted data that the server sent, it's going to have to decrypt it and it's going to have to decrypt it on the client which is in the hands of the enemy.
David Locke
I suppose that: if the official client can do it, any client can do it. Correct?
Zombies
A: 

It's pretty irrelevant. I imagine the encrypt the metadata such as the login information, and session information, but then send the gameplay mechanics data in the clear. After all, the server cannot trust the client anyway (not to have been hacked).

Most hack bots will hook into the running game process and poke around with its memory anyway, which is utterly undetectable - they often put in some signature recognition which attempts to detect known hackbots running in memory, but this is essentially useless otherwise.

Another possible technique for spotting hackbots is to spot gameplay patterns from known ones.

Encrypting the data does nothing, as hackbots attack the client, in-memory.

MarkR
Hm. If you create your own custom cilent (one that doesn't need all of the graphics overhead) then you can easily off-load it to a botnet (incase they dectect and ban multiple clients running from 1 ip source).
Zombies
They'd ban your account.
Wouter Lievens
There would be multiple accounts, one for each bot.
Zombies
A: 

If you have the time, this one+ hour video about netcode has a part about encryption (among other things such as client synchronization and packet compression).

The relevant quote from the video is this: CPU is cheap. Just encrypt it, you have enough CPU time to encypt and the benefit of encrypting is high (clients won't see your client's commands, increases the bar for hacking, etc).

MrValdez