Loadable crypto for Linux

PiB · #1 05-04-2013, 10:44 AM

I have no idea if it is used any more on Live but this 'crypto system' is so weak and broken that they shouldn't be using it in 2013. I do respect keeping it closed, though ultimately it's your decision.

image · #2 05-04-2013, 01:28 PM

Quote:

Originally Posted by PiB

I have no idea if it is used any more on Live but this 'crypto system' is so weak and broken that they shouldn't be using it in 2013. I do respect keeping it closed, though ultimately it's your decision.

+1

Triple DES is quite weak and they do not use it anymore. But I think everyone already knew my stance on this for years

Least there is a public login server available now though officially.

**KLS** · #3 05-04-2013, 10:37 PM

So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.

sereal · #4 12-13-2013, 04:24 PM

Quote:

Originally Posted by KLS

So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.

Can you clear up this whole deal? From what I can understand reading old threads someone cracked the crypto Live used and gave it to the eqemu devs on the condition it not be distributed (because it would endanger live accounts). (in other words we are insecurely authenticating to eqemu?)

Is the reason we cannot authenticate securely using more modern methods due to constraints in the client? (being we can't patch it)

A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?

Excuse my ignorance on the subject. I'm really curious more than anything.

**KLS** · #5 12-14-2013, 03:49 PM

Quote:

A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?

The laws were relaxed and now have an exception that many consumer products (and to my knowledge EQEmu) fall under.

Quote:

(in other words we are insecurely authenticating to eqemu?)

The client is quite insecure in how it sends passwords when you don't use the live-launcher.

sereal · #6 12-16-2013, 12:18 PM

Quote:

Originally Posted by KLS

The client is quite insecure in how it sends passwords when you don't use the live-launcher.

By 'live-launcher' do you mean the eq client as of now(ie it's been patched to fix any insecurities) or something else that was present in Titanium and or underfoot?

Could there be a possible work around where we run a insecure login server on the users computer that eq authenticates to, it then communicates securely to the eqemulator official login server.

Code:

+==== users-computer =========+ 
|+---------+    +----------+  |              +---------------+
||eqclient |<-->|fake login|<---internet---->| eqemulator    |
|+---------+    +----------+  |              +---------------+
+=============================+

The downside would be that the user needs to install another program. Servers could support either insecure(meaning they run the closed crypto binary), secure or both.

Am I way off base and or missing something here?