[MUD-Dev] Re: Trusting the Client (Re: Laws of Online World Design)

Ola Fosheim Grøstad <olag@ifi.uio.no> Ola Fosheim Grøstad <olag@ifi.uio.no>
Tue Oct 13 10:54:59 New Zealand Daylight Time 1998

mark at erdos.Stanford.EDU wrote:
> I'd like to share a few ideas about this "law":
>   Never trust the client.
>    Never put anything on the client. The client is in the hands of the
>    enemy. Never ever ever forget this.
> While I agree the sentiment is a good one, I believe there is more leeway
> here than one might think.  A more restricted law might be: "Never put
> anything you desire to be secret on the client."

[example snipped]

I (and others for sure) have arrived at your conclusion as well. Although
I'm no big fan of laws, I've arrived at something like this:

1. Never let a single client make the final decision about state which have
a global effect (exceptions exists, I'm sure you can think of some).

2. You may not be able to restrict clever users from any information which
the client code is capable of decoding. (you may be able to prevent the user
from using the information)

3. You may not be able to prevent clever users from executing the protocol

4. Then you have to add a lot about authentication, but there are several
schemes available so...

More information about the MUD-Dev mailing list