Request for Comments: SSL between Login Server, World and Zone

froglok23 · #1 09-02-2007, 07:56 PM

Quote:

Tell me this, would a server admin need to register their server with a CA, apply for an SSL cert that expires, then apply it to their server

To answer this, it’s going to be a multi-part response

Quote:

would a server admin need to register their server with a CA, apply for an SSL cert that expires, then apply it to their server

First impression, "Yes". But with a "but". I’d be willing to Host a Certificate Authority people could submit their server cert requests to an issue them free of charge for a period of say, 10 years or something like that.

We could have it as ca.eqemulator.net or something simular

Quote:

then, all clients expecting to connect have to install the cert as well?

I do not believe so, as this would not affect the client to my understanding, its intended use would just be for World<->Zone communication and possibly Login Server<->World. This will need clarification from someone who more experienced in the communication between EQClient and EQEmu.

Granted, adding an extra process to the DataStream will slow it down, but if implemented correctly, it’s not even noticeable, think of https. (From my experiences).

This wouldn’t solve our security flaws, but it would be a good step in the right direction.

Also, we could make this a configurable option to have or not have, do depending on how the server admin feels at the time, they have the option to enable or disable SSL/TLS communications between EQEmu components.

- froglok

**TheLieka** · #2 09-03-2007, 12:37 AM

Quote:

Originally Posted by froglok23

To answer this, it’s going to be a multi-part response

First impression, "Yes". But with a "but". I’d be willing to Host a Certificate Authority people could submit their server cert requests to an issue them free of charge for a period of say, 10 years or something like that.

We could have it as ca.eqemulator.net or something simular

I do not believe so, as this would not affect the client to my understanding, its intended use would just be for World<->Zone communication and possibly Login Server<->World. This will need clarification from someone who more experienced in the communication between EQClient and EQEmu.

Granted, adding an extra process to the DataStream will slow it down, but if implemented correctly, it’s not even noticeable, think of https. (From my experiences).

This wouldn’t solve our security flaws, but it would be a good step in the right direction.

Also, we could make this a configurable option to have or not have, do depending on how the server admin feels at the time, they have the option to enable or disable SSL/TLS communications between EQEmu components.

- froglok

SSL can be used for a ton of stuff, but in order to implement this, you'd have to be able to talk to someone with access to the login server source. I don't think the odds of that happening are very high.

Dax

Theeper · #3 09-04-2007, 09:58 AM

Or, rewrite the LS :p~

I don't think adding SSL to the emu would be practical. The overhead would be astronomical for a game like this. Although if you did, you could use a self signed cert, you don't need to pay for one.

If you're only talking about using it for the LS to communicate with world, what's the point ?

Darkonig · #4 09-04-2007, 11:26 AM

The login server uses UDP as the transport protocol. SSL requires you to be using TCP so it cannot be used with the login server.

The login server cannot be changed to use TCP instead without changing the client, which is clearly not an option.

I fail to see any practical reasons for adding something like SSL into the mix. The client already encrypts the login credentials sent to the login server. That is what keeps almost everyone from just writing their own login server for lan use.

froglok23 · #5 09-04-2007, 02:07 PM

Ok Fair enough abotu the Login Server using UDP and not TCP.

But fo communicaiton between world and zone, certianly SSL coudl be used there.

-froglok

froglok23 · #6 09-04-2007, 02:10 PM

Quote:

Originally Posted by Theeper

Or, rewrite the LS :p~

I don't think adding SSL to the emu would be practical. The overhead would be astronomical for a game like this. Although if you did, you could use a self signed cert, you don't need to pay for one.

If you're only talking about using it for the LS to communicate with world, what's the point ?

What about communication between world and zone?

To be, having SSL between these communcation channels, if possible would certianly be worth it.

- froglok

RangerDown · #7 09-04-2007, 03:20 PM

If you're going to talk to the client, you're at the mercy of what the client does or does not support. To the best of my knowledge, the client does not support SSL either at the login or in world/zone communication.

froglok23 · #8 09-04-2007, 03:24 PM

Agreed, anywhere client <-> server communication takes place, SSL is not possible at all.

- froglok

**WildcardX** · #9 09-04-2007, 08:50 PM

There is really no reason to implement SSL between world and zone. And generally speaking, implementing SSL on a game server is expensive in terms of performance. I just can't see a legitimate reason to do this.