Loadable crypto for Linux

**KLS** · #1 05-04-2013, 10:37 PM

So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.

sereal · #2 12-13-2013, 04:24 PM

Quote:

Originally Posted by KLS

So long as you log in via the launcher it's fairly secure. Basically using TLS which is what you often use logging into a website via https.

I might release it one of these days since at this point it's basically superseded by their normal login process. Login is kind of a pain on linux atm and I'd like to see it be easier to build but I'll have to think about it.

Can you clear up this whole deal? From what I can understand reading old threads someone cracked the crypto Live used and gave it to the eqemu devs on the condition it not be distributed (because it would endanger live accounts). (in other words we are insecurely authenticating to eqemu?)

Is the reason we cannot authenticate securely using more modern methods due to constraints in the client? (being we can't patch it)

A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?

Excuse my ignorance on the subject. I'm really curious more than anything.

**KLS** · #3 12-14-2013, 03:49 PM

Quote:

A separate note - someone I talked to mentioned passing around binaries like this may violate crypto export laws?

The laws were relaxed and now have an exception that many consumer products (and to my knowledge EQEmu) fall under.

Quote:

(in other words we are insecurely authenticating to eqemu?)

The client is quite insecure in how it sends passwords when you don't use the live-launcher.

sereal · #4 12-16-2013, 12:18 PM

Quote:

Originally Posted by KLS

The client is quite insecure in how it sends passwords when you don't use the live-launcher.

By 'live-launcher' do you mean the eq client as of now(ie it's been patched to fix any insecurities) or something else that was present in Titanium and or underfoot?

Could there be a possible work around where we run a insecure login server on the users computer that eq authenticates to, it then communicates securely to the eqemulator official login server.

Code:

+==== users-computer =========+ 
|+---------+    +----------+  |              +---------------+
||eqclient |<-->|fake login|<---internet---->| eqemulator    |
|+---------+    +----------+  |              +---------------+
+=============================+

The downside would be that the user needs to install another program. Servers could support either insecure(meaning they run the closed crypto binary), secure or both.

Am I way off base and or missing something here?