to list as well.
---------- Forwarded message ---------- From: David Gerard dgerard@gmail.com Date: 20 Apr 2008 12:25 Subject: Re: Writing a secure client/server with open source To: edA-qa mort-ora-y eda-qa@disemia.com
On 20/04/2008, edA-qa mort-ora-y eda-qa@disemia.com wrote:
Andy wrote:
The general consensus is "The attacker already knows the algorithm" thus revealing the source should not be a problem. Compilation is NOT a secure way of hiding something anyway.
I agree, but at least it prevents casual abuse of the server. That is, a bit of obfuscation is likely enough to rid the game of the majority of cheaters or abusers. I agree it does nothing to deter the hardcore attacker.
It does nothing to stop them either, because their code can be copied and used by others. "Secure client" is fundamentally an oxymoron. See http://en.wikipedia.org/wiki/Trusted_client (which I rewrote a while ago to try to explain this simple point which nevertheless consistently evades people). You can't give people the secret and also keep it from them - it's *impossible*.
If you want this to work, you have to make the *protocols* proof against cheats, e.g. only allowing a certain number of actions per time or whatever. Come up with a protocol that would still work if every single player had a copy of the protocol and could implement an optimal bot client for it ... because that's what they can do anyway.
- d.