UDP SSL for DP (I heard someone was working on this)?
OpenSSL supports udp now (has for some time, and they finally fixed some bugs 3 months or so ago) and I heard that someone was working on bringing this optional feature to darkplaces.
?????????????????

Sorry, "you heard" ???

Also, I'm not even sure what would be the reason to use openssl...

Mr. Bougo wrote:Sorry, "you heard" ???

Also, I'm not even sure what would be the reason to use openssl...

I was told. Was I told wrong.
The reason why having the option to use openssl was discussed allready.

Well, I have no idea, I never heard about this.

And I'm not sure I know your reasons... Got any link to your explaination?

Mr. Bougo wrote:Well, I have no idea, I never heard about this.

And I'm not sure I know your reasons... Got any link to your explaination?

We discussed it in another thread.
No cheating. Mitm is made very difficult. Everything said/talked about can be kept private amongst the parties playing the game.

I know that won't sway you, but alot of people would like to beable to set up a non-cleartext server. Wrapping everything in crypto goodness is a nice option.

ain't the game a bit too fast to do a man in the middle attack ?

It's not like that you could intercept a packet of kojn moving on the map, altering his packet to do a "look on floor,switch to RL, shoot in your own face" in realtime

Of course you can. Wait for the bit for weapon firing being set in the header of the input packet, and if set, alter the view angles randomly.

yeah OK by automating it it could work. I may ask for the number of times this had been done before. I mean I know it's 0, but it's fun to ask anyway

tl;dr
/thread

Thanks for your constructive contribution alph'

Mikee, I'm not sure why you would be afraid of mitm in... nexuiz?! It's a game ffs, there's no sensitive data transfered there. Same thing for the chat... I believe there are places better than a game server to transmit confidential data.

The only thing I see that would benefit from encryption is rcon, but it's already protected, and is dependant from the main part of the protocol.

Mr. Bougo wrote:Thanks for your constructive contribution alph'

Mikee, I'm not sure why you would be afraid of mitm in... nexuiz?! It's a game ffs, there's no sensitive data transfered there. Same thing for the chat... I believe there are places better than a game server to transmit confidential data.

The only thing I see that would benefit from encryption is rcon, but it's already protected, and is dependant from the main part of the protocol.

I want to be free to use nexuiz to transmit sensitive data.
Every other protocol has an SSL version. Nexuiz is the only thing I run that's in the clear (other than the few directories I have on the http server so people that don't like SSL can still dl map.)

One should always beable to transmit sensitive data without fearing who's watching. Every european country has things they throw on their hate-speech lists, every middle eastern country and asian country aswell. Rather than supporting the regimes that enjoy punishing their civillian peon subjects for what they say, nexuiz should mask that from prying eyes, or at least have the option to do so. Every other protocol has a version of itself that does just that.

tundramagi wrote:One should always beable to transmit sensitive data without fearing who's watching. Every european country has things they throw on their hate-speech lists, every middle eastern country and asian country aswell. Rather than supporting the regimes that enjoy punishing their civillian peon subjects for what they say, nexuiz should mask that from prying eyes, or at least have the option to do so. Every other protocol has a version of itself that does just that.

You're forgetting rcon2irc, clients in early connection stages which don't show up in the scoreboard but can see you talking, or admins watching their consoles or logs... If the protocol itself is flawed in terms of privacy, wrapping it in security layers makes no sense at all.

"tell" has neither of these flaws

Unless the server is modded.

Okay, let's assume it isn't, so we can have some kind of banking system via the tell command.

Just delete this thread, SSL is never going to happen, nor is model clipping (cutting models by planes in memory), nor are buildings, nor are any more vehicles (like racecars).

For some reason none of you want any of this, especially the peeps who can implement them (... I don't know who can implement SSL though, whoever it is).

Nexuiz has gone as far as it will I think. There's this stupid idea that if we don't ___need___ it (regardless of the fact that survelliance in all the wonderful democracies is more pervasive than it ever was in the GDR, and men are jailed for 2 years for saying the wrong thing) then it shouldn't be implemented.

And why the hell is anything I post to dev.nexuiz modded down? The clip model by a plane on load if you want to (so you can cut it up) idea (and the replace texture on model) that I posted (didn't come up with the proposed mechanisms, just posted the idea) was modded down to -1. You people seriously don't want this stuff that you feel the need to mod down any idea I post... oh but arguing about lb and kg is important!

Problem is that for implementing SSL (you actually mean DTLS, by the way), huge engine changes would be needed, and lhnet.c would need to be entirely rewritten.

For implementing one's own crypto, simpler means would work (only in netconn.c then). Almost everyone can do THAT, but many people tried to be clever and make their own crypto in the past, and failed (made it easy to crack).

E.g. it would be a job of half an hour to encrypt the DP session using AES with the challenge used at time of connecting. But of course, it'd be pointless, because anyone who sniffs that challenge can decrypt the connection. But to design an actually WORKING cryptographic protocol is not easy and can easily take months, and it takes MORE than one cryptographically experienced person to get it right.

A better idea would be a Diffie Hellmann key exchange at begin of the session, and then encrypting all packets using this key with AES - and I guess implementing this is about 10 to 20 hours of work. However, then one can easily perform a man-in-the-middle attack by performing DH with the client and DH with the server separately, and then acting as a relay.

The challenge is making it actually SECURE. And for that I see no good method that could be easily added to DP.

divVerent wrote:Problem is that for implementing SSL (you actually mean DTLS, by the way), huge engine changes would be needed, and lhnet.c would need to be entirely rewritten.

For implementing one's own crypto, simpler means would work (only in netconn.c then). Almost everyone can do THAT, but many people tried to be clever and make their own crypto in the past, and failed (made it easy to crack).

E.g. it would be a job of half an hour to encrypt the DP session using AES with the challenge used at time of connecting. But of course, it'd be pointless, because anyone who sniffs that challenge can decrypt the connection. But to design an actually WORKING cryptographic protocol is not easy and can easily take months, and it takes MORE than one cryptographically experienced person to get it right.

A better idea would be a Diffie Hellmann key exchange at begin of the session, and then encrypting all packets using this key with AES - and I guess implementing this is about 10 to 20 hours of work. However, then one can easily perform a man-in-the-middle attack by performing DH with the client and DH with the server separately, and then acting as a relay.

The challenge is making it actually SECURE. And for that I see no good method that could be easily added to DP.

Well to make it secure one has to use DTLS and when it fails blaim OpenSSL. DTLS works as such:
fist a public key crypto link is made, then a symmetrical AES key is exchanged for that session.
(Same with SSH). To thwart MitM attacks against the public key exchange, the thing is signed, and there actually may be other ways (ssh 1 was vuln, as was earlier ssl versions, they are more hardedned now IIRC).

Could one of the DP programmers add DTLS support?

Here's a reason why crypto is needed:
(well... actually, many of you want people that say things you don't like jailed... ok this is for those who do NOT want men jailed for what they say)

http://yro.slashdot.org/story/09/07/11/ ... ate-Crimes

Rights Online: British Men Jailed For Online Hate Crimes on Saturday July 11, @02:33PM

Posted by timothy on Saturday July 11, @02:33PM
from the don'tcha-just-hate-online-crime dept.
background: url(//c.fsdn.com/sd/topics/topiccensorship.gif); width:44px; height:55px; censorship
background: url(//c.fsdn.com/sd/topics/topicdoj.gif); width:50px; height:79px; court
chrb writes "Two British men have become the first to be jailed for inciting racial hatred online. The men believed that material they published on web servers based in the United States did not fall under the jurisdiction of UK law and was protected under the First Amendment. This argument was rejected by the British trial judge. After being found guilty, the men fled to Los Angeles, where they attempted to claim political asylum, again arguing that they were being persecuted by the British government for speech that was protected under the First Amendment. The asylum bid was rejected and the two were deported back to the UK after spending over a year in a US jail."

court censorship fascism leftists yro yro censorship story

tundramagi wrote:Well to make it secure one has to use DTLS and when it fails blaim OpenSSL. DTLS works as such:
fist a public key crypto link is made, then a symmetrical AES key is exchanged for that session.
(Same with SSH). To thwart MitM attacks against the public key exchange, the thing is signed, and there actually may be other ways (ssh 1 was vuln, as was earlier ssl versions, they are more hardedned now IIRC).

Could one of the DP programmers add DTLS support?

Problem is that going this route would mean entirely rewriting DP's network layer, which is out of scope.

divVerent wrote:

tundramagi wrote:Well to make it secure one has to use DTLS and when it fails blaim OpenSSL. DTLS works as such:
fist a public key crypto link is made, then a symmetrical AES key is exchanged for that session.
(Same with SSH). To thwart MitM attacks against the public key exchange, the thing is signed, and there actually may be other ways (ssh 1 was vuln, as was earlier ssl versions, they are more hardedned now IIRC).

Could one of the DP programmers add DTLS support?

Problem is that going this route would mean entirely rewriting DP's network layer, which is out of scope.

Well then only "good" people can use nexuiz, as it doesn't provide the protection neccessary for "bad" people to stay out of jail (or stay alive if they choose the correct path of fighting those who try to arrest them).

Most good OSS projects allow encryption. Some sorta roll their own (if using OpenSSL is not useful to their project they make their own "protocal" but use the existing crypto algos, and designs). Since most OSS projects are able to find a crypto person to do this, could DP?

Otherwise only nice good people will play nexuiz and bad people (like me, like those brits, like anyone who believes something diffrent than what's popular) will have to just not use it.

Why not play it via OpenVPN?

If you want, I can set up OpenVPN on my server, restricted so it only can access the Nexuiz server.

tundramagi wrote:Otherwise only nice good people will play nexuiz and bad people (like me, like those brits, like anyone who believes something diffrent than what's popular) will have to just not use it.

Do you mean you have to be "bad", as you say, on every single channel of communication available to you???

Well I hope you understand that most people will not want to implement that if it encourages such behaviour from the players.

Mr. Bougo wrote:

tundramagi wrote:Otherwise only nice good people will play nexuiz and bad people (like me, like those brits, like anyone who believes something diffrent than what's popular) will have to just not use it.

Do you mean you have to be "bad", as you say, on every single channel of communication available to you???

Well I hope you understand that most people will not want to implement that if it encourages such behaviour from the players.

Yes, I understand that most players WANT people like me gone or imprisoned and that they hate freedom of speech (except for their own).

I don't want to use nexuiz anymore. It's never going to be a worthwhile secure protocol. It's always going to be a crap in the clear no use for anything other than playing with brainwashed "correct think" people that hate you anyway. It's never going to have any of the things I'd like either (cutting through models (every time I propose this on the dev thing IT GETS MODDED DOWN "NO WE DON'T WANT THIS FEATURE, FUCK OFF" -1), building buildings, encryption, race cars, encryption please, being not a boring game)

Sure, you don't need a secure protocal because you are part of that anti-freedom-for-men establisment. You have no problem with those brits being imprisoned for their hate speech. You are glad they will be punished.

I'm not part of that establisment. I want to kill those people who imprison men for what those men say. I need that encryption. I'm not a "good" person. I'm one of the "bad" people. So is Anarkist probably. Soon many of you will be too, unless you continually monitor and narrow your views to what is acceptable, every time that changes.

You know, being such an extremist won't make your ideas stronger...


It's funny how every single moral rule that won't let you act exactly the way you want is considered as brainwashing.
Your parents, who taught you to use the toilet instead of... eh, you know what. They were MANIPULATING YOU. So, of course, there's no way they could be right. So, REVOLT! Freedom for bladders and sphincters!

I don't want to use nexuiz anymore.

K, bye.

Mr. Bougo wrote:

I don't want to use nexuiz anymore.

K, bye.

<3

alpha wrote:

tundramagi wrote:I don't want to use nexuiz anymore.

<3

GFTO/STFU, both of you. Get a room already.

Mr. Bougo wrote:You know, being such an extremist won't make your ideas stronger...


It's funny how every single moral rule that won't let you act exactly the way you want is considered as brainwashing.
Your parents, who taught you to use the toilet instead of... eh, you know what. They were MANIPULATING YOU. So, of course, there's no way they could be right. So, REVOLT! Freedom for bladders and sphincters!

I don't want to use nexuiz anymore.

K, bye.

I'm not using it anymore. I've shutdown my server. I stopped mapping 2 weeks ago. It's not fun anymore.

You support jailing men who take young wives of childbearing age. There's nothing good about that, not for men. Nor is there anything good about jailing men for what they say (atleast for men: it IS good for women: adds to their power and wealth and privledge through the terror the state commits against it's male subjects.)

I don't see what that has to do with not making a mess.

Well, I didn't see this thread turning into a rant about "men's liberty"

If you knew anything about human sexuality, you'd know that 12-14 year olds (your target age in these rants) is considered under-developed, yet you try to play it off like people who are against pedophilia are "morally wrong".

Your contributions will be missed by some but I don't think anyone will miss these twisted rants which frankly do not belong in these forums.

This is not a place for such discussions.

If anyone is implementing SSL for DP, please make a new topic.