Jump to content

Recommended Posts

Posted

Hello there.

 

Recently I've been developing a skin swap mod, one that allows you to upload your skin from the mod to a 3rd party server. Now that everything more or less works how it should, I have found myself stumped on the problem of securing any changes made to said skins.

 

The scenario: Player sends out POST to server with image data, his UUID and some other information. Server reads the image, stores it and updates database.

 

The problem: Anyone with a utility that can send POSTs can send a similar package and overwrite user's skin to anything. How to make sure that:

a) The player sending the data is the one owning the skin

b) The utility used to send the data is the Mod.

 

I've tried looking into Yggdrasil authentication, but it doesn't have a method to confirm to whom the security token belongs to - any valid token returns a positive response and would be a poor security measure.

 

I don't want to use the Authentication method, since it would invalidate the user's own Minecraft token, and I don't have a SSL certificate on my server.

 

At the moment I'm totally at a loss for what to do. I would appreciate any pokes in the right direction.

 

Thanks

I do pony stuff :3

Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

I do pony stuff :3

Posted

Make your mod have many secret passcodes sent with the messages. When the server gets the message, the server should then check if the passcode maches some decrypted versions stored. That way you can check if the sender is your mod.

 

Encrypt the entire message. That way, people can't see what you're sending in the package, and create their own packages out of that.

 

You should also send in the message, the location, where, when, and why the message was sent. Then check that data with your data, and see if it should update its content.

 

 

 

 

 

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

E-Mail? Something like that

Creator of Extra Shoes

 

Watch out, I'm total jerk, and I'll troll anybody if it feels like its necessary. Pls report me then

Posted

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

Salt and hash. Done.

Apparently I'm a complete and utter jerk and come to this forum just like to make fun of people, be confrontational, and make your personal life miserable.  If you think this is the case, JUST REPORT ME.  Otherwise you're just going to get reported when you reply to my posts and point it out, because odds are, I was trying to be nice.

 

Exception: If you do not understand Java, I WILL NOT HELP YOU and your thread will get locked.

 

DO NOT PM ME WITH PROBLEMS. No help will be given.

Posted

Make your mod have many secret passcodes sent with the messages. When the server gets the message, the server should then check if the passcode maches some decrypted versions stored. That way you can check if the sender is your mod.

 

Encrypt the entire message. That way, people can't see what you're sending in the package, and create their own packages out of that.

 

You should also send in the message, the location, where, when, and why the message was sent. Then check that data with your data, and see if it should update its content.

 

Give the player some kind of verification password

 

I'd be sending a password through a non-encrypted POST. Very unsafe. If it doesn't improve the security of the change, I wouldn't want to make the client store any additional data anywhere.

 

Salt and hash. Done.

 

So basically add a crapton of data and work out my own encryption and decryption method. Okay, sounds good, I guess. Thanks!

I do pony stuff :3

Posted

Out of mere curiosity; HOW do you get a SSL certificate?

 

EDIT: added a word

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Posted

You can make a secure (as in nobody can listen) SSL connection with a self-signed certificate. You will not be able to ensure however that the person on the other end actually is who they say they are. The only way to properly verify this is through an official SSL certificate. If you don't have one, you cannot make a secure connection (the option "make your own" does not count. SSL has been developed for MANY years and it still has bugs like heartbleed. Anything that you write on your own will be open like a hangar gate in comparison).

 

Yeah, I didn't want to do that. In the end, the data I'll be sending won't be sensitive in the way that obtaining them will give a potential troublemaker any edge. I'll just make sure to hash the messages sent well enough so they can't be decrypted too easily. I don't imagine many people would want to waste time on trying to crack an encoded minecraft POST message, while not being too obvious for those who would do it out of curiousity due to low security

I do pony stuff :3

Posted

Out of mere curiosity; do you get a SSL certificate?

I think there is a word missing here.

Oh my gosh, Oops!

 

My typing was a little fast. It was supposed to be *how*.

I might be terribly wrong.. Like really, really wrong. But I'm just trying to help.

Posted

Out of mere curiosity; do you get a SSL certificate?

I think there is a word missing here.

Oh my gosh, Oops!

 

My typing was a little fast. It was supposed to be *how*.

 

You either buy it from a certified vendor or self-sign one yourself using OpenSSL (at least on Linux). But a self-signed one isn't really honored anywhere, and the webpage will still be displayed as insecure

I do pony stuff :3

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Announcements



×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.