Question about data access

Support for the latest build of L2J Server, get help here with installations, upgrades, problems.
Do not post bugs reports here, use viewforum.php?f=77 instead.
There is no support for other server builds than the official provided by l2jserver.com
Forum rules
READ NOW: L2j Forums Rules of Conduct
Post Reply
User avatar
KGB1st
Posts: 230
Joined: Sat Jul 26, 2014 5:58 pm

Question about data access

Post by KGB1st »

Today I thought about one interest situation. It's concern login server users' registration and authentication.
Can you tell me about secure transfer beetween client and server. Is sniffer can compromise user login and password?

I think in a certain degree it can to do this. So I ask to you: how I can secure accounts of my users?
Sacrifice
Advanced User
Advanced User
Posts: 1026
Joined: Thu Aug 14, 2014 6:31 am

Re: Question about data access

Post by Sacrifice »

Seccondary Auth. Check configs in High Five branch.
User avatar
KGB1st
Posts: 230
Joined: Sat Jul 26, 2014 5:58 pm

Re: Question about data access

Post by KGB1st »

Sacrifice wrote:Seccondary Auth. Check configs in High Five branch.
and what can I see?

I ask about serious traffic sniffers and protocol attacks..
Sacrifice
Advanced User
Advanced User
Posts: 1026
Joined: Thu Aug 14, 2014 6:31 am

Re: Question about data access

Post by Sacrifice »

KGB1st wrote:
Sacrifice wrote:Seccondary Auth. Check configs in High Five branch.
and what can I see?

I ask about serious traffic sniffers and protocol attacks..
We cant do nothing...
canislupus
Posts: 66
Joined: Tue Dec 24, 2013 1:30 am

Re: Question about data access

Post by canislupus »

KGB1st wrote:Today I thought about one interest situation. It's concern login server users' registration and authentication.
Can you tell me about secure transfer beetween client and server. Is sniffer can compromise user login and password?

I think in a certain degree it can to do this. So I ask to you: how I can secure accounts of my users?
The attacker would have to dehash the password (very very time consuming)

Its so time consuming, that its not even worth it.

If you plan on adding account management to your website, you must enforce https, and make sure you are not leaving any access to the database. I've seen people have their php scripts containing database credentials left accessible.
Remember to set up a firewall and hold the door.
So you want a L2J Server? Check out my guide viewtopic.php?f=81&t=30556&p=182721#p182721
User avatar
KGB1st
Posts: 230
Joined: Sat Jul 26, 2014 5:58 pm

Re: Question about data access

Post by KGB1st »

:really: hold the door...
HorridoJoho
L2j Senior Developer
L2j Senior Developer
Posts: 795
Joined: Sun Aug 14, 2005 11:27 am

Re: Question about data access

Post by HorridoJoho »

When the users computer has a virus which steals passwords, you can't prevent account stealing. Because the virus can localy always hook the location where the account credentials are encrypted before they get encrypted. You can never secure account credentials when the users machine itself is compromised.

The best way you can do is to provide asymmetric cryptography over the course of the data transmissions. But when that key to decrypt the message from the other side is transmitted over the same device, a sniffer only needs to be present at the time the keys are exchanged and can read what the other side is sending. This only solves that nobody can fake messages from the other side because the sniffer don't have the private key for encrypting traffic. But it can fake messages to the other side.

To make absolutely sure, you would have to introduce another authentication device, like sending a mobile message to the phone number of the users account, which requires the mobile device to send a message back to grant login access. That is the only way to protect from users compromised machine and unauthorized logins. Credentials however can always be stolen when the users machine is compromised.
User avatar
KGB1st
Posts: 230
Joined: Sat Jul 26, 2014 5:58 pm

Re: Question about data access

Post by KGB1st »

Thanks. I read your post and fully understand it, but I think that mob msg and SSL certificate's very dearly for easy server
proxy's dearly too. So we can do it with client side SSL + iptables, but problem in client, we must huck and rewrite more code :problem:
User avatar
Zoey76
L2j Inner Circle
L2j Inner Circle
Posts: 7005
Joined: Tue Aug 11, 2009 3:36 am

Re: Question about data access

Post by Zoey76 »

Someone else could confirm but I don't think the client supports SSL.
Powered by Eclipse 4.30 ๐ŸŒŒ | Eclipse Temurin 21 โ˜• | MariaDB 11.2.2 ๐Ÿ—ƒ๏ธ | L2J Server 2.6.3.0 - High Five ๐Ÿš€

๐Ÿ”— Join our Discord! ๐ŸŽฎ๐Ÿ’ฌ
canislupus
Posts: 66
Joined: Tue Dec 24, 2013 1:30 am

Re: Question about data access

Post by canislupus »

Just use diffie-hellman so you dont have to worry about managing and protecting the private key.

Cryptography will protect the data while its in transit, but it wont protect a user with a keylogger installed in his machine :problem:
So you want a L2J Server? Check out my guide viewtopic.php?f=81&t=30556&p=182721#p182721
Post Reply