gumshoe2029's Forum Posts

  • You need my Not Quite Random plugin,

    This will be useful in the future.

  • The only way to prevent pirating, is to have all of your game logic on a server application. That way the client is just a dead pile of images without the logic to run it.

  • ho well thanks, I managed to use the plugin. Now I'm just afraid I wasted my time with dictionnaries ? We'll see.

    Yea, JSON support is one of C2's weak spots. The plugins are far better.

  • I don't think there is. :-/

  • I think you need to use another coordinate, because all C2 arrays are inherently 3D.

    Try array[x][y][0] or array[x][0][0]

  • But think about something : doing a website with C2 is not bot-readable so your pagerank on search engine will be super low.

    ea, this is another oddity that I have found too.

  • Yea, it will not work. But people can still scrape usernames/passwords/scores/etc. from the data streams, therefore it is inherently insecure.

    And when it comes to non-repudiation, they can just submit a hashed score of whatever they choose, because hashing algorithms are publicly uniform.

    That was what I meant when I said:[quote:3sd403xd]Anyone with a wire shark and knowledge of which algorithm you are using can guess at your original information.

    In malinga91 's original post, if I wanted to submit a false score to his hashed system, I would use the URL:

    https : // domain . com / endpoint / ajax.php?xxxsdf=92323&verify=fda64db2c94f9b96ad316a858f1fac3974059d07ebf244fb01b5e53e9c87eb76

    and because I have access to all of the JavaScript variables, including his "secret," I can submit a false score still, and his server will still accept it because it is not secure.

  • But SSL certificates are not free

    They are now:

    https://letsencrypt.org/

    Our web portal and game client are secured via SSL/TLS with certificates from Let's Encrypt.

    Up to that, I have figured out another non-ssl security trick for sending data which contains not only the hashing API key but also the encryption. I called this method a Super64encode (/decode) as it is based on Base64 algorythm but salted with two keys. I will be releasing it to public soon with TR_System plugin which is an extention to the native System. Not sure if I'll remember to post it here, but you may want to follow me on Twitter or just check my blog from time to time. I should post it within two weeks or so.

    I use a scheme like this too, but that does not protect against falsified data. The problem with all of these schemes is that the protections can simply be removed on the client side.

  • Someone has cheat on my game. using cheat engine.

    You don't need a cheat engine to hack HTML5 games. A simple debugger like Firebug will do fine.

    So your main goal is non-repudiation of the scores. SSL/TLS is not going to help with non-repudiation.

    Because the SSL certificates are handled by the browser, and so the web application (and the corresponding debuggers) is technically behind the SSL security wall, so people will still be able to submit false scores, and your server will continue accepting them.

    The only way that you are going to achieve this is to move all of your scoring logic onto a server application. Then the only power the client has is the power to submit requests for an action to happen. Then you can do all of your checks server-side, and if the score is illegitimate, then you can just send them back a nice error message.

    Rule Number One of game development: "Never trust the client; it is in enemy hands."

  • We built our website in C2, but it has some odd side-effects like undoing the MVC development model and makes pagination difficult.

  • CB Hash is a hash, not encryption. The only encryption that works on browsers is SSL, and that is seated in the browser, not the web application.

    You cannot encrypt in JavaScript because the source is 100% available to any user of your website. So, people can just remove your encryption in the source.

    Hashing is a one way process though, you cannot get the original data back out of it on the server.

    You can hash it and have a comparison library on the server. I use something similar for the authentication on our website, but the server needs to have complete information or your comparison will fail.

    As long as your secret is sufficiently complex, it will not be hackable.

    Also, It is not entirely clear what you are trying to protect? Or are you just doing a non-repudiation scheme? The security will also depend very heavily on how you transmit your secret or the lifetime of the secret. Anyone with a wire shark and knowledge of which algorithm you are using can guess at your original information.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads

    So please Scirra Team, make C3 as lightweight as possible but not so far that it will affect the feature list. Just make it cool and light.

    I can't imagine them not making it lightweight, since that is one of the hallmarks of C2, but the weight and ease of use of C2 is why we selected C2 to begin with.

  • > The URL of your game is the address that you have it posted to.

    >

    > In order to do what you are asking, you have to have a server-side application talking to a database or cache.

    >

    That sounds complicated, kinda...

    I've been doing some research and I've found a plugin called Cransberri, should I just buy that plugin and use it? Looks way easier.

    Thanks for your response!

    With the advent of virtual servers, it is really not bad now.

    But that plugin might work for you too. It would talk to Google servers.

  • It seems we have more devs then testers here, lol. There are only three responses so far. :-p

    > i wish the new C3 will have a really neat looking UI, like an adobe software

    >

    This. The UI in C2 works great, but doesn't look that great...

    Who cares if it looks great. It is clean, understandable, simple, and easy to follow. That is all of their design goals.