Dave Watts wrote:
One of the possible tricks that you can use, is to send messages to your
"high-score" server during the game so that you can verify that the person
passed certain checkpoints. You can throw these away after the final score
is recorded and validated.
At the checkpoints, you can record current score, a game state(if that is
relevant) and a timestamp and then do a quick reasonableness check when the
final score is recorded.
You need to assume that the cheater has read your client-side code.
A determined cheater can always build a simulator for your game and replace
your game with their simulator.
Keep in mind that all communication between the client and the server
can be recorded by the client (or the server for that matter, not that
that would be a threat). So, those messages could also be recorded.
SSL/TLS will not prevent this, either - it'll simply mean that the
communication can only be recorded by the client or server endpoints,
and nothing in between.
You do have the element of time in the recording so that the user has to
get the right messages at the right time which means that they have to
record a winning high score to produce a fake high score and may be
unable to produce a higher score since they have no path through the
game to copy.
The realistic goal of security is never absolute protection. You just
want to make the cost higher than the hacker is willing to pay to get
the result.
Of course, no one would turn down a scheme that gave absolute security
but those are few and far between.
The crossdomain file gives you some protection.
That doesn't protect the server, only the client's machine.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
