From 0ea5fc66924303d1bf73ba283a383e2aadee02f2 Mon Sep 17 00:00:00 2001 From: neodarz Date: Sat, 11 Aug 2018 20:21:34 +0200 Subject: Initial commit --- pipermail/nel/2001-April/000413.html | 107 +++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 pipermail/nel/2001-April/000413.html (limited to 'pipermail/nel/2001-April/000413.html') diff --git a/pipermail/nel/2001-April/000413.html b/pipermail/nel/2001-April/000413.html new file mode 100644 index 00000000..ff93dba5 --- /dev/null +++ b/pipermail/nel/2001-April/000413.html @@ -0,0 +1,107 @@ + + + + [Nel] A small document for your consumption + + + + + + +

[Nel] A small document for your consumption

+ Vincent Archer + archer@nevrax.com
+ Fri, 27 Apr 2001 17:15:17 +0200 +

+
+ +
According to Brenden Towey:
+> From: Vincent Archer <archer@nevrax.com>
+> > 3) MD5 for a dynamic challenge. A good example: the server sends you the
+> > current date when you connect, and you use that date as the first
+> > bytes of the MD5 digest.
+> 
+> Would #3 solve the login & password hacking problem?
+
+More or less. However, most of the hacking problems I've seen these days
+on MMOGs do not involve a spoofed server or anything else. They're all
+revolving around:
+
+1) A scam aimed at getting your login and password
+	(we have this incredible powerleveling service. Send us $30 and
+	 your password and we'll have you level 50 in a month)
+
+2) A trojan (last one on EQ pretending to be an 'undetectable macro
+   program') that intercept the login/password pair when you *type them*.
+
+Still, it doesn't hurt to make a MD5 challenge. If someone can spoof
+you into believing you're talking to the server, the usual crypto layer
+that protects your connection against sniffing will not protect your
+password (something some web designers conveniently forget, saying that
+once you're using https:// urls, you can send you password in clear to
+the web).
+
+> >serves as authentification, and the WS then updates the LS with its state,
+> >name and IP address. The WS may have a list of valid IP/port address for WS
+> >to avoid the occasional pirate server registration.
+> 
+> 
+> Ok, I don't understand this.  Why would one person or company want to do
+> this?  What's the advantage to having a login service in one location and a
+> world service in another?  Why not just co-locate all your services behind
+> one firewall?
+
+Bandwidth/Lag/Security issues.
+
+Bandwidth is the first, and usually the less important one. But when you
+start talking multiple OC12 links for your bandwidth consumption, you
+quickly have limits on where you can locate your worlds. It is a lot easier
+to negociate several locations with OC4 for each than say "I need a place
+with two OC12".
+
+Lag is another one. All the world is not the states... tell it to the Aussies
+who ranted and screamed till they finally got one Ultima Online server
+down under. We're doing our best to make lag irrelevant, but given the
+choice of playing on a server with 500 ms ping and a server with 100 ms
+ping times... The experience with the latter will always be a *lot*
+smoother.
+
+And finally security. Not network security, I'm talking real security.
+Despite every premium paid, what happens if your server room catches
+fire, and despite generous smothering of Halon, all your servers are
+burnt to a nice crispy taste? Sure, the insurance will pay you lots of
+money. But your players will no longer be there.
+
+Spreading your servers around makes sense on several points.
+
+-- 
+Vincent Archer                                         Email: archer@nevrax.com
+
+Nevrax France.                              Off on the yellow brick road we go!
+
+
+ + +
+

+ -- cgit v1.2.1