[MUD-Dev] Re: Trusting the Client (Re: Laws of Online World Design)

Jon Leonard jleonard at divcom.slimy.com
Wed Oct 14 01:03:42 New Zealand Daylight Time 1998

On Mon, Oct 12, 1998 at 11:33:44PM -0700, mark at erdos.Stanford.EDU wrote:
> Raph Koster writes:
> > BTW, I have noticed nobody has quarreled with any of the laws yet. Are
> > they all that acceptable? And is this endeavor useful? (I am finding it
> > so, but wonder about everyone else).
> I'd like to share a few ideas about this "law":
>   Never trust the client.
>    Never put anything on the client. The client is in the hands of the
>    enemy. Never ever ever forget this.
> While I agree the sentiment is a good one, I believe there is more leeway
> here than one might think.  A more restricted law might be: "Never put
> anything you desire to be secret on the client."
> Now, while the server has no control over what the client (or 
> pseudo-client) actually _does_, it certainly has control over what changes
> it allows the client to make on the server state.  I believe this can
> be taken advantage of in the following way.
> Consider a simple scenario: Bubba enters a room containing a monster,
> Boffo.  Bubba attacks Boffo and slays him in one hit, takes his gold,
> and exits the room.
> 1. When Bubba enters the room, the entire room state (including Boffo)
>    is downloaded to his client, along with a random number seed.

The random number seed is something you'd really rather keep secret.  If
a (sufficiently skilled at breaking code) player can see your random
numbers, they can implement conditional code like "attack the monster
only if I can kill it" or "open the chest only if the trap doesn't trigger".

You really need to force the client to commit state to the server every
time it wants a random number.  (If unrealistic luck is a problem.)

If the threat model for subverted clients isn't quite that strong (and
I think it should be -- I prefer to do all computation on the server),
then you can get away with less stringent tests.

It might be possible to make the client do an infeasable amount of work
to cheat, or have the server be able to occasionally detect this kind
of cheating and disable cheating accounts.  I doubt that any such mutant
protocol is worth the effort to prove it secure, though.

Jon Leonard

More information about the MUD-Dev mailing list