February 2004
- Solutions for smarter NPCs (long) Robert Zubek
- TECH: newbie, mud over jabber im cr88192
- Randomness Alex Chacha
- Randomness David Kennerly
- Randomness Alex Chacha
- UI Design Adam
- MCP/GUIs (was: MUD client popularity) Bruce Mitchener
- [DGN] A comparison of adolescent and adult online computer game players Luca Girardo
- Discussion groups at the MDC Brian 'Psychochild' Green
- Different Style of Online Games Stewart Berntson
- Too much magic? Brian Hook
- Too much magic? Michael "Flury" Chui
- Too much magic? John Buehler
- Too much magic? Hans-Henrik Staerfeldt
- Too much magic? John Buehler
- Too much magic? Corey Crawford
- Too much magic? cruise
- Too much magic? Brian Hook
- Too much magic? Richard A. Bartle
- Too much magic? Brian Hook
- Too much magic? Paul Canniff
- Too much magic? cruise
- Too much magic? Daniel.Harman@barclayscapital.com
- Too much magic? Ben Hawes
- Too much magic? Miroslav Silovic
- Weather simulations Nathan Black
- Weather simulations Spot
- Weather simulations Shane P. Lee
- Weather simulations Valerio Santinelli
- How much should be offloaded to Scripting? Dan Larsen
- How much should be offloaded to Scripting? Brian Hook
- How much should be offloaded to Scripting? Koster, Raph
- How much should be offloaded to Scripting? Brian Hook
- How much should be offloaded to Scripting? Jay Carlson
- How much should be offloaded to Scripting? Damion Schubert
- How much should be offloaded to Scripting? Jim Purbrick
- How much should be offloaded to Scripting? Jim Purbrick
- How much should be offloaded to Scripting? Sean Middleditch
- How much should be offloaded to Scripting? Lars Duening
- How much should be offloaded to Scripting? Ben Garney
- How much should be offloaded to Scripting? Acius
- How much should be offloaded to Scripting? Richard A. Bartle
- How much should be offloaded to Scripting? Patrick Dughi
- How much should be offloaded to Scripting? gbtmud
- How much should be offloaded to Scripting? Kwon J. Ekstrom
- How much should be offloaded to Scripting? James Pepe
- Media: Women over 40 biggest online gamers J C Lawrence
- Media: Women over 40 biggest online gamers ext.Christer.Enfors@tietoenator.com
- Media: Women over 40 biggest online gamers Koster, Raph
- Media: Women over 40 biggest online gamers Daniel James
- Media: Women over 40 biggest online gamers Fred Snyder
- Media: Women over 40 biggest online gamers Michael Sellers
- Media: Women over 40 biggest online gamers Tom Hunter
- Media: Women over 40 biggest online gamers Luca Girardo
- Media: Women over 40 biggest online gamers Luca Girardo
- Character Restraint & Capture. Jester
- Character Restraint & Capture. rjw
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Daniel.Harman@barclayscapital.com
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Matt Mihaly
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Byron Ellacott
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Damion Schubert
- Character Restraint & Capture. Marian Griffith
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Brian 'Psychochild' Green
- Character Restraint & Capture. cruise
- Character Restraint & Capture. Paul Schwanz
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Valerio Santinelli
- Character Restraint & Capture. Craig H Fry
- Character Restraint & Capture. Jim Purbrick
- Character Restraint & Capture. Michael Sellers
- Character Restraint & Capture. Jester
- Character Restraint & Capture. cruise
- Character Restraint & Capture. Jester
- Character Restraint & Capture. Tess Snider
- Character Restraint & Capture. Eric Random
- Player generated quests wcoles@reflectionsinteractive.com
- Player generated quests cruise
- Player generated quests Artur Biesiadowski
- Player generated quests Alex Chacha
- Player generated quests Mike Shaver
- Player generated quests Talanithus Tarant
- Quick question SSL Christopher Allen
- Quick question SSL ceo
Christopher Allen wrote:
> Cookies based on the client's IP number are not going to work for
> you 100%, not
> What you want to do is, and has worked well for Skotos, is to pick
> some random number, and pass that on via a cookie along with the
> hash of it, the username, and something that only the server
> knows. The user cannot with the username and the random number
> along figure out how to reproduce the hash (assuming you use a
> strong hash like MD5 and keep your server secret really secret).
Sorry, I should have been more specific here about the threat model.
IP number was to guard against "someone snoops network packets, uses
your cookie to login as you". Even now it works for approx 50%-70%
of players and possibly is worth doing for that 50-70%, although it
means all you have to do to circumvent it is change ISP :(.
In this attack, the attacker doesn't need to reproduce the hash -
they see it in the HTTP traffic the first time the user sends the
cookie back to your server. On the server, you cannot seem to
construct ANY relationship between "the client that originally
HTTPS'd to me, and the client that is HTTP'ing to me" - the IP
address for each is different, and you can't just say "associate the
first IP that presents that token as being the correct client",
because then you're assuming there is only ONE set of proxys/caches
that the traffic travels through (which doesn't appear to be true
for all ISP's).
IIRC this is of the "Replay" type of attack - as an attacker, you
observe the "magic number/token" that is a valid response to a
server challenge, and then replay the same magic number the first
time the server challenges you. Of course this is why most security
protocols include the sender and receiver "addresses" inside
whatever's encrypted, but my problem here is that I don't seem to
have a notion of a client "address" which I can actually know/check
for all clients :(.
PS caches seem to fairly consistently use the extended
(i.e. non-standard) HTTP headers to indicate the IP address they are
routing on behalf of; I haven't checked *every* ISP of every player,
but I may be able to use these extended headers to infer the same IP
address for a client, no matter which proxy/cache they come via.
Adam M - Quick question SSL sziisoft
- Quick question SSL Jo Dillon
- Quick question SSL Matthew D. Fuller
- Quick question SSL ceo
- Quick question SSL szii@sziisoft.com
- Quick question SSL Travis Casey
- Quick question SSL Tamzen Cannoy
- Quick question SSL ceo
- Quick question SSL Byron Ellacott
- Quick question SSL Alex Chacha
- Quick question SSL Sean Middleditch
- Quick question SSL ceo
- Mythica Cancelled.. dienw
- Mythica Cancelled.. Kerry Fraser-Robinson
- Mythica Cancelled.. David H. Loeser Jr
- Mythica Cancelled.. Vincent Archer
- Mythica Cancelled.. Vincent Archer
- Mythica Cancelled.. Michael Sellers
- Mythica Cancelled.. Scott Jennings
- Mythica Cancelled.. szii@sziisoft.com
- Mythica Cancelled.. Valerio Santinelli
- Mythica Cancelled.. Damion Schubert
- Mythica Cancelled.. Hans-Henrik Staerfeldt
- Mythica Cancelled.. Bill Slease
- Mythica Cancelled.. Freeman, Jeff
- Mythica Cancelled.. Tom "cro" Gordon
- [Design] Meta-physics Engine cruise
- RE:Character Restraint & Capture. Chris Duesing
- Economic model.. Brian Thyer
- Economic model.. Mike Lescault
- Economic model.. Robert Kovalchick
- Economic model.. Brian Thyer
- Economic model.. Matt Mihaly
- Economic model.. brian@thyer.net
- Economic model.. Matt Mihaly
- Economic model.. Matt
- Economic model.. Brian Thyer
- Economic model.. cruise
- Economic model.. brian@thyer.net
- Economic model.. cruise
- Economic model.. Thomas Clive Richards
- Economic model.. Michael Sellers
- Economic model.. Daniel.Harman@barclayscapital.com
- Economic model.. Michael Sellers
- Economic model.. Daniel.Harman@barclayscapital.com
- Economic model.. Brian Thyer
- Economic model.. Marian Griffith
- Economic model.. Brian Thyer
- Economic model.. Francisco Gutierrez
- Economic model.. Brian Thyer
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Brian Hook
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Roy Sutton
- Character Restraint & Capture (bounty hunting) Chris Duesing
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) szii@sziisoft.com
- Character Restraint & Capture (bounty hunting) John Buehler
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) Jester
- Character Restraint & Capture (bounty hunting) Byron Ellacott
- Character Restraint & Capture (bounty hunting) Jester
- Economic model (long) Jester
- Announce: MUD-Dev Conference J C Lawrence