Secure highscore submission over HTTP

[delt0r]

Try doing some hacking on your own. Learn the tools you need to secure against. You will quickly discover why cheating is prevalent in online games, and why its so hard to combat.
 

[krasse]

Not really - all the hacker has to do it make the client run at half or quarter speed. From the recorded keystrokes it'll look like they're playing really well. Similarly a hacker could put a memory image save/restore and so 'incrementally' play a perfect game.

Solution to this "subproblem": You could have a timestamp for the game you play so the result is only valid for a limited time. This limits the damage for recorded keystrokes.

Hacker counter: Save a whole play with recorded input and send to server.

Solution to this counter: Randomize start state


A bot that can run in real time is however more difficult and it doesn't even have to run as a process in the target system.
In practice, when money is involved, suspicious users can be banned for no other reason than being just suspicious. No actual proofs are needed.

[Mordan]

It's not about thinking outside the box .. I can respect that you have this blissful fantasy that securing the client is possible .. we've all been there, you just haven't yet crashed into the wall of realization.

That's a different problem. It is technically feasible with the correct inputs to post funds to your account from someone else's account. That information is usually obtained through social engineering.

But the point is the entire "state" of an account is handled on the server - the client can only request transactions to be made, which the server will always validate. But that doesn't solve the problem of someone usen valid (but stolen) information to post a valid transaction.

To make a game analogy .. you could use a similar strategy with a game of Checkers. The server generates a game state and hands it off to the client. The client can then tell the server move-by-move what it wants to do. The server maintains the game state and validates each move.

But even this is not securing the client - it's just computing game state on the trusted end. Anytime you have a game where the state is exclusively maintained on the client side, you've already lost. It will be possible to cheat.

(you could also cheat at the "Checkers" strategy with a bit of AI).

unless the state is there for all the see. Map Hacks lose their purposes if game is played with no fog of war.

about emoney I meant cards where money state is stored on the card. They used to call it Proton here, Solo on the UK though i never used that one.

So while I agree that in theory state on the client side makes it possible to cheat, like I said, paper money is state on the client side. Money laundering does happen. But try to launder money using big fat notes of 500 euros? Doesn't happen very much.
So for highscores, nobody cares if people cheat for scores lower the Top 10. Alll you have to do is monitor the top ten scores using the above techniques and then some. For me, that's practical client security. Make recorded games and let the community check on those top ten highscores.

Now your point is one bright hacker would be able to masquerade even then. Well even the best money fakers are caught. They are playing "Catch me if you can"
What about your income history // highscore history. Maybe client security is also about how you design the community surrounding your game highscores.

That's why I wrote "real life ways" to achieve client security.