Andy wrote:
The general consensus is "The attacker already knows the algorithm" thus revealing the source should not be a problem. Compilation is NOT a secure way of hiding something anyway.
I agree, but at least it prevents casual abuse of the server. That is, a bit of obfuscation is likely enough to rid the game of the majority of cheaters or abusers. I agree it does nothing to deter the hardcore attacker.
Protect from whom? This is in fact one of the most important questions. If your just trying to protect a users login details then it's unlikely they are going to try to breach their own security (and it's their own fault if they do).
I can make this clearer, there are three "entities" involved: 1. The Server 2. The Client 3. The Player
The server has no problem with identity, it knows who it is. The Player will authenticate with a known safe protocol (HTTPS and MD5 password possibly), and will be prompted for his password when he connects.
The question comes to the identity of the "Client". Basically I want to server an official client, let's call it "WhatNots". Now, the source if completely open, and I wish to encourage everybody to make their own version of "WhatNots", but I don't want those copies to be able to identify as the official client with the score server.
I know this problem in the commercial game world, basically the one of preventing cheaters. But that world has the advantage of using obfuscation in their authentication algorithms.
You should try to answer the following questions: What data needs to be secured?
The integrity of the scoring data on the server. It wishes only to accept scoring data from authorized clients (that is, the official game clients).
Where is that data is stored?
On the server.
Where is that data is being transferred from/to?
Produced by the client, transferred to the server.
Who is that data is being secured from?
People with unathorized clients attempting to give themselves inflated scores.