Jump to content
rugk

Insecure transmission of statistics/application feedback

Recommended Posts

rugk    6

In the config/log I noticed "userreport.url", which by default points to http://feedback.wildfiregames.com. No HTTPS, no basic security… :(

You got HTTPS on your public site some time ago and I thought this, of course, also applies to your ("friendly") tracking feature (really, no offense intended!) in 0ad. However, as it seems, that's not the case. So it should be fairly easy to add HTTPS there, as the load is likely less than on any other (public) page you host. :)

So when the data is public anyway, why use HTTPS here?

  1. First of all, all (or almost all) standard arguments apply here.
  2. As all tracking features, this of course also includes sensitive info. Yes! You submit a unique ID there, so… Attackers can intercept and manipulate that. And hardware details… not everyone wants to let those flow through the net in such a way…
  3. When the data is published, it may be aggregated. The submitted data as raw data should be kept confidential… And you promise to only publish data, which cannot be used for identification.
  4. Using this data an attacker can track a device through multiple WLAN/networks/etc. There may be other ways, but in any case, you should protect that information.
  5. You do not say that this information can be intercepted. In your in-game statement, you only state the data goes to 0ad. Well… if it is not transmitted in an encrypted fashion anyone can sniff it. I.e. you basically lie here… And users may be okay with giving this info to you, but not to anyone, who happens to be on the way (attackers in wifi, ISP, any big three-letter agency, another ISP, …).
Edited by rugk

Share this post


Link to post
Share on other sites
implodedok    178
14 minutes ago, av93 said:

Maybe alpha 23 could be released fast for security reasons.

I don't agree.  This does not seem to be an exploit that could compromise security of a computer system or privacy of an individual.

  • Like 2

Share this post


Link to post
Share on other sites
elexis    908

Thanks for the report.

The HTTP interception of the hardware info transmission would require the attacker to be a Man-In-The-Middle, at which point he's tracking the target directly already (and then only that one target (or sitting in front of our server which would require him to do worse things already)). Don't see a reason to push out a release quickly for that.

It would be safer to disable the UserReporter while noone maintains it. daker had also reported on 2017-06-28 that we still use an old django version for the UserReport tool and it was discussed with Philip.

  • Like 1

Share this post


Link to post
Share on other sites
elexis    908

Doesn't it sound like a conflict of interest to you if the ones who are the attacker are the ones certifying the defense mechanism?

Share this post


Link to post
Share on other sites
rugk    6

I do not understand your sentence, but my general answer would be: 0ad is open-source, so everybody can "certify" any "defense mechanism" in the game.

Share this post


Link to post
Share on other sites
Lion.Kanzen    1,849
43 minutes ago, rugk said:

I do not understand your sentence, but my general answer would be: 0ad is open-source, so everybody can "certify" any "defense mechanism" in the game.

You can start doing a patch,you know this a open contribution project?

Edited by Lion.Kanzen

Share this post


Link to post
Share on other sites
rugk    6
1 minute ago, Lion.Kanzen said:

myopic

Shortsighted?

Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it.

My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say.

Share this post


Link to post
Share on other sites
Lion.Kanzen    1,849
1 minute ago, rugk said:

Shortsighted?

Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it.

My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say.

Sorry I typed wrong and my iPad don't help.

i don't see how this a big issue. Come on if a hacker wants your password they can do here, in steam, there's not a such thing that a in vulnerable security system.

 

we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix.

you see HBO was hacked recently? That's my point.

Share this post


Link to post
Share on other sites
rugk    6
1 minute ago, Lion.Kanzen said:

Come on if a hacker wants your password they can do here, in steam

I do not know if Steam uses HTTPS, but I really think they use HTTPS. But I think this is another typo…

Also in this issue no password is transmitted. This issue is not about any password at all… You seem to have replied to the wrong topic or so.

What I take from your reply is: There is not 100% security. That is correct, of course, but that does not mean you should not use HTTPS. I mean your house door can also be broken – does that mean, you do not use a door?
Also I am not  such a big target as HBO.

And finally when HTTPS is not used you do not have to "hack" anyone. YOu can just sit on a chair next to them, when they are logged in the same WLAN as you. It has nothing to do with hacking in the sense of breaking into computers.

Share this post


Link to post
Share on other sites
rugk    6
10 minutes ago, Lion.Kanzen said:

we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix.

Yes, and you can also say people they should not kill each other… Hmm, they seem to do it anyway. :D
You can say many things, yes. Paper does not blush. (that's a proverb)

Edited by rugk

Share this post


Link to post
Share on other sites
Lion.Kanzen    1,849
7 minutes ago, rugk said:

Yes, and you can also say people they should not kill each other… Hmm, they seem to do it anyway. :D
You can say many things, yes. Paper does not blush. (that's a proverb)

so see they include weak password...how is guilty for be so lazy?

Share this post


Link to post
Share on other sites
rugk    6

Again: This issue is not about passwords.

Also BTW, this issue is already confirmed to be "likely" solved in the next release as @implodedok said in #2. And that is okay. I also opened a trac issue. So I see no reason for discussing this anymore. And even if, then please discuss it in a serious way.

Share this post


Link to post
Share on other sites
rugk    6
32 minutes ago, Lion.Kanzen said:

you know this a open contribution project?

Ahh now I understand this sentence. :) Yes, of course, I think everybody should know.

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoticons maximum are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×