Encryption in OTTD

[Moriarty]

I'm curious - is the network data for the game encrypted? I'm guessing not.

Would it be possible to encrypt it? And before anyone asks Why - Why not. Is there any technical reason not to encrypt packet data?

[DaleStan]

Is there any technical reason not to encrypt packet data?

Yes.
1) Encryption increases at least connection-initialization overhead[0]
2) Encryption usually adds additional per-packet overheads.
3) Encryption increases CPU load.

[0] Surely the point here is security, which means that it has to be some random-gen key(s), not something stored in the source.

[Bilbo]

Considering the bandwidth consumed by OpenTTD, I think the increased CPU load from encrypting these few packets will be neglibigle. Worse may be adding dependency on some ssl/tls libraries and having to manage all the stuff. I guess the added benefit (having secure connection to the game server) will not convince devs to implement this. But maybe if you submit a patch ...

[Rubidium]

And which gameserver owner is going to spend 500 US Dollars for a SSL Certificate to prove he is who is pretends he is? This is especially needed because you need some way to know for certain whether the other side is actually the server. If you do not you can have the so-called man-in-the-middle attacks which basically make the encryption useless.

So without a proper way to prove that the "other" side is actually the computer you want to talk to, i.e. the game server, there is no real meaning in using encryption as it will be overly easy to make a man-in-the-middle attack, which makes the encryption totally useless.

[Moriarty]

1) Encryption increases at least connection-initialization overhead[0]

As a https doesn't seem to take more than several fractions of a second longer than regular http I think we can say initialisation doesn't need to be a problem.

2/3) - As pointed out, OTTD uses negligible bandwidth/CPU. I have no idea what the percentile increase would be, I can't say for certain what the increase would be, but a multiple of a small number is usually still a small number.



As to the SSL - Aren't there are other ways authenticate the server is what it says it is without an SSL cert. I.e.
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation).

It strikes me that you could use http://www.openttd.org/servers.php as that secure channel/certificate authority. No $500 certificates needed.

Also:

So without a proper way to prove that the "other" side is actually the computer you want to talk to, i.e. the game server, there is no real meaning in using encryption as it will be overly easy to make a man-in-the-middle attack, which makes the encryption totally useless.

Isn't this a logical fallacy?
"Because it can be broken with some effort there's no point putting it in".


And no, I'm not even remotely an expert on encrpytion.

[Korenn]

And before anyone asks Why - Why not.

Seeing as some answers to the 'why not' were given, how about the 'why'? Why do you want to encrypt data that holds ottd user commands? Do you consider something in there to be that sensitive?

[Bilbo]

And which gameserver owner is going to spend 500 US Dollars for a SSL Certificate to prove he is who is pretends he is? This is especially needed because you need some way to know for certain whether the other side is actually the server. If you do not you can have the so-called man-in-the-middle attacks which basically make the encryption useless.

So without a proper way to prove that the "other" side is actually the computer you want to talk to, i.e. the game server, there is no real meaning in using encryption as it will be overly easy to make a man-in-the-middle attack, which makes the encryption totally useless.

Sniffing (passive surveillance) is usually much easier than man-in-the-middle (active surveillance). Many people with HTTPS servers out there use certificates from some university CA or som of their home-made CA. Also, for openttd, as authority certificates would be distributed with it, there could be some authority maintained by developers whivch will give certificates to servers for free after some validation ... for openttd server you will not need to give somebody your real name, postal address, etc ... just somewhat verify that the server is under your control.

And 500 usd for certificate is expensive. I saw certs recognized in browsers given out for 20 usd/year (but probably still too much just for openttd server). Actually, I have not found certificate that was that much expensive, most expensive was 250 USD/year

Considering that for public servers, anybody can "sniff" you by simply joining as spectator, encryption is a bit futile (and sensitive data, aka the password is already exchanged in secure manner, not in plaintext)

So, it is IMHO too much effort for quite little benefit.

I think by combining with some application like ssltunnel or port forwarding over SSH you can get the encryption you want without having to modify openttd code at all.

[Bilbo]

2/3) - As pointed out, OTTD uses negligible bandwidth/CPU. I have no idea what the percentile increase would be, I can't say for certain what the increase would be, but a multiple of a small number is usually still a small number. 8)

Well, I forgot about one thing. Once you connect, you start downloading the current map. Which can be like 4 megabyte download for the largest map sizes. And encryption will add some significant overhead here. But considering the map get compressed before sending, the overhead won't be as large, but still, it will be probably noticable.

[Moriarty]

And before anyone asks Why - Why not.

Seeing as some answers to the 'why not' were given, how about the 'why'? Why do you want to encrypt data that holds ottd user commands? Do you consider something in there to be that sensitive?

Fair enough.
Because you can use the game to send messages, and there's no non-technical they should be in plain text. We have plenty of news stories of all manner of governments snooping on pretty much everything, and various telcos/ISPs do packet shaping etc.
Also, the more encrypted traffic there is, the harder it becomes for the people who want to spy to find the encrypted traffic that contains important stuff. So basically "why not" is the real answer, and not just me being a smart alec .

And no, I'm not a paranoid who encrypts everything. I don't even have a public/private key pair.

Well, I forgot about one thing. Once you connect, you start downloading the current map. Which can be like 4 megabyte download for the largest map sizes. And encryption will add some significant overhead here. But considering the map get compressed before sending, the overhead won't be as large, but still, it will be probably noticable.

Quick test then. I created a 2000*2000 map, and encrypted it with Axcrypt.
Size before: 4.16MB
Size after: 4.16MB

So no difference. I used axcrypt because that's what I have installed. Feel free to test other packages, I'd be curious to see why Axcrypt doesn't result in a file size change.

Considering that for public servers, anybody can "sniff" you by simply joining as spectator,

And private servers?

[Bilbo]

Quick test then. I created a 2000*2000 map, and encrypted it with Axcrypt.
Size before: 4.16MB
Size after: 4.16MB

Encryption will not make the file larger (or it will increase it only by few bytes in case there is some header telling how it is encrypted). But CPU will spend "considerable" amount of time (for files that large perhaps 200-500 msec, depending on the CPU speed) when encrypting it.

Considering that for public servers, anybody can "sniff" you by simply joining as spectator,

And private servers?

Yes, in private servers it may be worth it, but I think setting up ssltunnel on server and telling the players how to connect to it would add encryption to the connection, while openttd does not have to care about it at all - it gets new unencrypted connection from the localhost end of the ssl tunnel, whle tre data in transit are encrypted.

Perhaps best that could be done in this thing is post some "how to use ssltunnel with openttd to secure the conection" guide to openttd wiki...

[Rubidium]

som of their home-made CA

Thus easily 'attacked' by a man-in-the-middle because there is no trusted CA.

there could be some authority maintained by developers whivch will give certificates to servers for free after some validation

And how would that validation work? Lots of servers change their IP address fairly regularly (due to DSL/Cable), so we need to make lots of certificates and perform lots of revocations. This means lots of work that could otherwise be used for better things. Furthermore the frequent changes means that developers need to reply 'quickly', which most likely is not going to happen because there are vast 'gaps' during the day which then make OpenTTD much less playable.

And how do we get 'proof' that somebody is who he/she pretends? People can easily fake email or nicks at IRC. So you suggest people to go to a developer in real life so they can prove it?

[Bilbo]

som of their home-made CA

Thus easily 'attacked' by a man-in-the-middle because there is no trusted CA.

Yes, unless you distribute the certificate by other means (but the question is how?), it is vulnerable. Still, if you visited the site before, you can get warning that the cert. authority have changed. And if you are the issuer, then you will trust yourself (mostly these sites have https mainly because of site admin logging in securely to site administration).

there could be some authority maintained by developers whivch will give certificates to servers for free after some validation

And how would that validation work? Lots of servers change their IP address fairly regularly (due to DSL/Cable), so we need to make lots of certificates and perform lots of revocations. This means lots of work that could otherwise be used for better things. Furthermore the frequent changes means that developers need to reply 'quickly', which most likely is not going to happen because there are vast 'gaps' during the day which then make OpenTTD much less playable.

And how do we get 'proof' that somebody is who he/she pretends? People can easily fake email or nicks at IRC. So you suggest people to go to a developer in real life so they can prove it?

It could be connected with nick on tt-forums.net for example.
So when you connect to some server you will know who is the owner (of course unless someone steal someone else's forum account, as these forums operate over unencrypted http)
Still it could be open to attacks like registering similar names (Bilbo vs BiIbo - the small "L" replaced with capital "I") and abusing the fact that some characters look similar or even the same.
Also, the certificate giveout process would need to be automated ... some page checks authentication from forums and give you out your "personal server certificate".

edit:fix quoting

[Moriarty]

Encryption will not make the file larger (or it will increase it only by few bytes in case there is some header telling how it is encrypted). But CPU will spend "considerable" amount of time (for files that large perhaps 200-500 msec, depending on the CPU speed) when encrypting it.

200-500ms isn't even worth smiffing at. Not when you remember that the time taken to zip the thing up is significantly longer.

[stewis]

Umm may i ask why a game needs to send data encrypted (unless its a password) just sounds like a pointless idea that will take up peoples time.

Its not like any one is sending confidential infomation using the game anyway...

[CMircea]

Encryption will not make the file larger (or it will increase it only by few bytes in case there is some header telling how it is encrypted). But CPU will spend "considerable" amount of time (for files that large perhaps 200-500 msec, depending on the CPU speed) when encrypting it.

200-500ms isn't even worth smiffing at. Not when you remember that the time taken to zip the thing up is significantly longer.

No, 200-500 ms isn't a big deal, but considering that open sends lots of small packages very second the game would be EXTREMELY laggy, especially when a client with a less powerful CPU joins. And even so, say the server generates a random key, but it has to tell the client about it, and then you can easily get the key. Since the source is under the GPL, there's not much you can do to implement encryption, and I highly doubt it's needed, it's a game, not a database containing top secret info about US!

[Arathorn]

Even discussing this suggestion is a waste of time. Not to mention the -even if insignificant- waste of CPU and bandwidth.

[Korenn]

Even discussing this suggestion is a waste of time. Not to mention the -even if insignificant- waste of CPU and bandwidth.

yeah, that's a very constructive post you've added... an even bigger waste of time.

[Bilbo]

Ehm ... time to lock this thread? It seems that the discussion is somehow moving off the topic ...

[Moriarty]

Since the source is under the GPL, there's not much you can do to implement encryption, and I highly doubt it's needed, it's a game, not a database containing top secret info about US!

In that case please explain how this or this can work?
Being GPL isn't an impediment to encryption.

No, 200-500 ms isn't a big deal, but considering that open sends lots of small packages very second the game would be EXTREMELY laggy, especially when a client with a less powerful CPU joins.

Sorry, I don't get what you're saying.

[sc79]

Because you can use the game to send messages, and there's no non-technical they should be in plain text. We have plenty of news stories of all manner of governments snooping on pretty much everything, and various telcos/ISPs do packet shaping etc.

And the moral? Don't plan your crimes in OTTD chat. Paranoia is all good, but I think you'll need something a little more solid/constructive to encourage someone to take on all the work it would entail.