Complete.Org: Mailing Lists: Archives: freeciv-dev: August 1999:
Re: [Freeciv-Dev] cmdlevel: sticky and moved out of connection into play
Home

Re: [Freeciv-Dev] cmdlevel: sticky and moved out of connection into play

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: Gary Moyer <garymoyer@xxxxxxxx>
Cc: David Pfitzner <dwp@xxxxxxxxxxxxxx>, "freeciv-dev@xxxxxxxxxxx" <freeciv-dev@xxxxxxxxxxx>
Subject: Re: [Freeciv-Dev] cmdlevel: sticky and moved out of connection into player structure
From: Greg Wooledge <wooledge@xxxxxxxxxxx>
Date: Tue, 24 Aug 1999 18:40:02 -0400

Gary Moyer (garymoyer@xxxxxxxx) wrote:

> What about a simple password scheme using salt2 encrypted locally?  This would
> fix a number of issues and prevent simple snooping attacks.  Each players
> password could be stored (encrypted) in the game file.

As soon as you bring encryption into the picture, you run into various
countries' laws.  The US, for example, forbids the export of cryptographic
programs which are "sufficiently" (not very) strong.  Other countries
have similar or related problems.

Of course, it doesn't matter much whether you store the password in the
save file with or without encryption -- it's visible only on the server.
The players can't see it, unless they have shell accounts or FTP access
on the server -- and even then, you could set the umask to 077 so that
only the game admin and the superuser can read the files.

A bigger issue is transmitting the password over an unsecured TCP channel
in cleartext.  Getting around this can be done in several different ways,
but then you get back to silly laws....

So, if you don't encrypt the "password", you'll avoid many legal issues,
and you won't lose much security.

-- 
Greg Wooledge                    | Distributed.NET http://www.distributed.net/
wooledge@xxxxxxxxxxx             | because a CPU is a terrible thing to waste.
http://www.kellnet.com/wooledge/ |

[Prev in Thread] Current Thread [Next in Thread]