rugk Posted July 31, 2017 Report Share Posted July 31, 2017 (edited) In the config/log I noticed "userreport.url", which by default points to http://feedback.wildfiregames.com. No HTTPS, no basic security… You got HTTPS on your public site some time ago and I thought this, of course, also applies to your ("friendly") tracking feature (really, no offense intended!) in 0ad. However, as it seems, that's not the case. So it should be fairly easy to add HTTPS there, as the load is likely less than on any other (public) page you host. So when the data is public anyway, why use HTTPS here? First of all, all (or almost all) standard arguments apply here. As all tracking features, this of course also includes sensitive info. Yes! You submit a unique ID there, so… Attackers can intercept and manipulate that. And hardware details… not everyone wants to let those flow through the net in such a way… When the data is published, it may be aggregated. The submitted data as raw data should be kept confidential… And you promise to only publish data, which cannot be used for identification. Using this data an attacker can track a device through multiple WLAN/networks/etc. There may be other ways, but in any case, you should protect that information. You do not say that this information can be intercepted. In your in-game statement, you only state the data goes to 0ad. Well… if it is not transmitted in an encrypted fashion anyone can sniff it. I.e. you basically lie here… And users may be okay with giving this info to you, but not to anyone, who happens to be on the way (attackers in wifi, ISP, any big three-letter agency, another ISP, …). Edited July 31, 2017 by rugk Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted July 31, 2017 Report Share Posted July 31, 2017 @implodedok Quote Link to comment Share on other sites More sharing options...
implodedok Posted August 1, 2017 Report Share Posted August 1, 2017 I agree. We will likely change this in alpha 23. Unfortunately, alpha 22 was released recently so it will take a few months. 3 Quote Link to comment Share on other sites More sharing options...
av93 Posted August 1, 2017 Report Share Posted August 1, 2017 Maybe alpha 23 could be released fast for security reasons. Quote Link to comment Share on other sites More sharing options...
implodedok Posted August 1, 2017 Report Share Posted August 1, 2017 14 minutes ago, av93 said: Maybe alpha 23 could be released fast for security reasons. I don't agree. This does not seem to be an exploit that could compromise security of a computer system or privacy of an individual. 2 Quote Link to comment Share on other sites More sharing options...
Stan` Posted August 1, 2017 Report Share Posted August 1, 2017 I think he is trolling a bit to get a new version faster 1 Quote Link to comment Share on other sites More sharing options...
elexis Posted August 1, 2017 Report Share Posted August 1, 2017 Thanks for the report. The HTTP interception of the hardware info transmission would require the attacker to be a Man-In-The-Middle, at which point he's tracking the target directly already (and then only that one target (or sitting in front of our server which would require him to do worse things already)). Don't see a reason to push out a release quickly for that. It would be safer to disable the UserReporter while noone maintains it. daker had also reported on 2017-06-28 that we still use an old django version for the UserReport tool and it was discussed with Philip. 1 Quote Link to comment Share on other sites More sharing options...
av93 Posted August 1, 2017 Report Share Posted August 1, 2017 Not trolling, just saying, but if a dev says that there's no problem, I don't mind it. 1 Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 On 1.8.2017 at 11:30 AM, elexis said: at which point he's tracking the target directly already Every heard of three-letter agencies, which do exactly that and do not target a user individually? In any case opened a trac issue for that: https://trac.wildfiregames.com/ticket/4707 1 Quote Link to comment Share on other sites More sharing options...
elexis Posted August 6, 2017 Report Share Posted August 6, 2017 Doesn't it sound like a conflict of interest to you if the ones who are the attacker are the ones certifying the defense mechanism? Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 I do not understand your sentence, but my general answer would be: 0ad is open-source, so everybody can "certify" any "defense mechanism" in the game. Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted August 6, 2017 Report Share Posted August 6, 2017 (edited) 43 minutes ago, rugk said: I do not understand your sentence, but my general answer would be: 0ad is open-source, so everybody can "certify" any "defense mechanism" in the game. You can start doing a patch,you know this a open contribution project? Edited August 6, 2017 by Lion.Kanzen Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 1 minute ago, Lion.Kanzen said: myopic Shortsighted? Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it. My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say. Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted August 6, 2017 Report Share Posted August 6, 2017 1 minute ago, rugk said: Shortsighted? Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it. My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say. Sorry I typed wrong and my iPad don't help. i don't see how this a big issue. Come on if a hacker wants your password they can do here, in steam, there's not a such thing that a in vulnerable security system. we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix. you see HBO was hacked recently? That's my point. Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 1 minute ago, Lion.Kanzen said: Come on if a hacker wants your password they can do here, in steam I do not know if Steam uses HTTPS, but I really think they use HTTPS. But I think this is another typo… Also in this issue no password is transmitted. This issue is not about any password at all… You seem to have replied to the wrong topic or so. What I take from your reply is: There is not 100% security. That is correct, of course, but that does not mean you should not use HTTPS. I mean your house door can also be broken – does that mean, you do not use a door? Also I am not such a big target as HBO. And finally when HTTPS is not used you do not have to "hack" anyone. YOu can just sit on a chair next to them, when they are logged in the same WLAN as you. It has nothing to do with hacking in the sense of breaking into computers. Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 (edited) 10 minutes ago, Lion.Kanzen said: we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix. Yes, and you can also say people they should not kill each other… Hmm, they seem to do it anyway. You can say many things, yes. Paper does not blush. (that's a proverb) Edited August 6, 2017 by rugk Quote Link to comment Share on other sites More sharing options...
Lion.Kanzen Posted August 6, 2017 Report Share Posted August 6, 2017 7 minutes ago, rugk said: Yes, and you can also say people they should not kill each other… Hmm, they seem to do it anyway. You can say many things, yes. Paper does not blush. (that's a proverb) so see they include weak password...how is guilty for be so lazy? Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 Again: This issue is not about passwords. Also BTW, this issue is already confirmed to be "likely" solved in the next release as @implodedok said in #2. And that is okay. I also opened a trac issue. So I see no reason for discussing this anymore. And even if, then please discuss it in a serious way. Quote Link to comment Share on other sites More sharing options...
rugk Posted August 6, 2017 Author Report Share Posted August 6, 2017 32 minutes ago, Lion.Kanzen said: you know this a open contribution project? Ahh now I understand this sentence. Yes, of course, I think everybody should know. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.