Jump to content

Insecure transmission of statistics/application feedback


Recommended Posts

In the config/log I noticed "userreport.url", which by default points to http://feedback.wildfiregames.com. No HTTPS, no basic security… :(

You got HTTPS on your public site some time ago and I thought this, of course, also applies to your ("friendly") tracking feature (really, no offense intended!) in 0ad. However, as it seems, that's not the case. So it should be fairly easy to add HTTPS there, as the load is likely less than on any other (public) page you host. :)

So when the data is public anyway, why use HTTPS here?

  1. First of all, all (or almost all) standard arguments apply here.
  2. As all tracking features, this of course also includes sensitive info. Yes! You submit a unique ID there, so… Attackers can intercept and manipulate that. And hardware details… not everyone wants to let those flow through the net in such a way…
  3. When the data is published, it may be aggregated. The submitted data as raw data should be kept confidential… And you promise to only publish data, which cannot be used for identification.
  4. Using this data an attacker can track a device through multiple WLAN/networks/etc. There may be other ways, but in any case, you should protect that information.
  5. You do not say that this information can be intercepted. In your in-game statement, you only state the data goes to 0ad. Well… if it is not transmitted in an encrypted fashion anyone can sniff it. I.e. you basically lie here… And users may be okay with giving this info to you, but not to anyone, who happens to be on the way (attackers in wifi, ISP, any big three-letter agency, another ISP, …).
Edited by rugk
Link to comment
Share on other sites

Thanks for the report.

The HTTP interception of the hardware info transmission would require the attacker to be a Man-In-The-Middle, at which point he's tracking the target directly already (and then only that one target (or sitting in front of our server which would require him to do worse things already)). Don't see a reason to push out a release quickly for that.

It would be safer to disable the UserReporter while noone maintains it. daker had also reported on 2017-06-28 that we still use an old django version for the UserReport tool and it was discussed with Philip.

  • Like 1
Link to comment
Share on other sites

1 minute ago, Lion.Kanzen said:

myopic

Shortsighted?

Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it.

My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say.

Link to comment
Share on other sites

1 minute ago, rugk said:

Shortsighted?

Yes, if I had the programming language knowledge (C/C++ or whatever you use) I could, but this is a not that easy issue, you may need interaction with openssl… or use curl, whatever… So it is not really easy. And it should be done properly, so better someone else does it.

My reply about open source was just because of elexis' reply. I still have no clue about what he was trying to say.

Sorry I typed wrong and my iPad don't help.

i don't see how this a big issue. Come on if a hacker wants your password they can do here, in steam, there's not a such thing that a in vulnerable security system.

 

we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix.

you see HBO was hacked recently? That's my point.

Link to comment
Share on other sites

1 minute ago, Lion.Kanzen said:

Come on if a hacker wants your password they can do here, in steam

I do not know if Steam uses HTTPS, but I really think they use HTTPS. But I think this is another typo…

Also in this issue no password is transmitted. This issue is not about any password at all… You seem to have replied to the wrong topic or so.

What I take from your reply is: There is not 100% security. That is correct, of course, but that does not mean you should not use HTTPS. I mean your house door can also be broken – does that mean, you do not use a door?
Also I am not  such a big target as HBO.

And finally when HTTPS is not used you do not have to "hack" anyone. YOu can just sit on a chair next to them, when they are logged in the same WLAN as you. It has nothing to do with hacking in the sense of breaking into computers.

Link to comment
Share on other sites

10 minutes ago, Lion.Kanzen said:

we can say our user something like: use easy password but don't use your more valuable password like email password or steam...Netflix.

Yes, and you can also say people they should not kill each other… Hmm, they seem to do it anyway. :D
You can say many things, yes. Paper does not blush. (that's a proverb)

Edited by rugk
Link to comment
Share on other sites

Again: This issue is not about passwords.

Also BTW, this issue is already confirmed to be "likely" solved in the next release as @implodedok said in #2. And that is okay. I also opened a trac issue. So I see no reason for discussing this anymore. And even if, then please discuss it in a serious way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...