[MUD-Dev] strong encryption for authentication
glowack2 at msu.edu
Wed Jul 11 09:35:39 New Zealand Standard Time 2001
Quoted from Caliban Tiresias Darklock on Tue, Jul 10, 2001 at 08:16:52PM -0700:
> Why the hell would you want to encrypt it?
1. Cheating - Player A is in a PK area. Player B is on the next
machine over and is listening to the network in promiscuous mode.
Player B has a script that extracts room names and health
information from a data stream. Player B runs this script in a
little window using Player A's connection as input.
"Hmm... Player A is down to 10 HP and is sitting in the Bell
2. Spying - Similar to the first scenario, someone could sit and
watch your traffic, find out what you're up to, etc.
"Hmm... Buffy really loves Biff (that's interesting) and wants to
buy him a +9 Knife of Ogre Slaying. Hmm... I have one of those
knives, they're hard to get, Buffy is wealthy, and she needs one
by tonight. Oppertunity knocks!"
> Basically, I started thinking about all the people this would lock
> out of the game. People who didn't have the right
> encryption. People who didn't understand encryption. People who
> didn't like encryption.
I'll give you "people who didn't have the right encryption", that
one's a very real concern. But you don't have to understand
encryption to benefit from it or even use it. There are reasons to
dislike *applications* of encryption, that I can understand with
things like DVD's, music, etc., but to dislike encryption itself
doesn't make sense. There are many good applications of encryption,
from online banking to keeping your personal information secure to
sending secret codes during a war.
> And no matter how much thought I put into it, I could not think of
> one single reason why people would give two tin shits in a wicker
> basket whether the game was encrypted. Nothing made sense. I came
> up with all sorts of concerns about privacy and security which,
> when you came right down to it, really didn't *matter* on a
> game. For a business conference, yeah, I could see that making
> sense. But it's a GAME.
Look at a game like EQ or UO where the GAME is spawning real-world
transactions, people selling characters and equipment online, etc.
And it's really not just a game, it's also a social gathering place.
In the future it's likely to be even more so, as more and more
people get connected and start gathering, if not in "games" then in
"online virtual worlds" or whatever you want to call them. You
mentioned business conferences, which could be something you are
able to have within one of these virtual environments.
> I did have a distinct problem with *forcing* people to send
> passwords in the clear, so I devised an optional cookie-based OTP
> scheme for that. But beyond that, I couldn't see any legitimate
> justification for wasting the CPU power necessary to encrypt
Why *not* just start encrypting everything? Hardware encryption
accelerators already exist, it's only a matter of time before they
become cheap enough to be ubiquitous, at which point the CPU won't
be used for encryption, freeing it up for more general processing
> So I'd pose this question, to which I would honestly like to hear
> the answer: what *possible* reason have you identified as a
> compelling justification for encryption? Because I really couldn't
> think of anything. Did I miss something?
There are lots of good reasons to encrypt, see above.
Encryption should at least be an option, if not the default. For a
game where you're in control of the client (EQ, UO, etc.) it should
be integrated so the user won't ever even *know* they are sending
their data encrypted. For more traditional MUDs that let the user
pick their favorite MUD client, then the story changes a bit, but if
you get a big game or two to start supporting SSL connections, then
MUD client authors will start getting requests for the feature (if
they don't find out first themselves) and soon MUD clients will
start supporting SSL connections.
Edward Glowacki glowack2 at msu.edu
"Speak softly and carry a +6 two-handed sword." --fortune
MUD-Dev mailing list
MUD-Dev at kanga.nu
More information about the MUD-Dev