I recently asked NTAuthority about this, and he 'chose to ignore it'.

So, NTAuthority, I'd like to explain in a forum post, so that you can understand it and take it more seriously.

 

Assigning RSA Keys + Certificates to servers and clients would be a very secure authentication method for this game.

It would also make verifying servers and clients much more secure, as their information would be verified upon registration.

----------------------------------------------------------------------------------------

 

Advantages:

- Users can play the game EVEN if fourdeltaone is down (as long as they have their certificate + private key).

 

- It's pretty secure.

 

- You can manage servers which are allowed to accept clients. Servers would require a valid certificate from fourdeltaone for clients to accept it (you won't need to generate 'API' keys any more and you can state limits, etc...)

 

- This will eradicate impersonation/spoofing, and will make it harder for offenders (cheaters) to dodge the system (Clients require a valid certificate from fourdeltaone for servers to accept them)

 

- Login does not require any connection to a server. Passwords do not leave the computer.

 

- Right now, Passwords are sent clearly with no protection (not even SSL) over HTTP POST.

 

- There is no cost. You would not need to buy certificates from VeriSign or whatever, they would be generated for free upon registration and the 4D1 certificates would be self-signed.

 

- Certificates can be 'revoked' by the auth server (in other terms, players and/or servers can be globally banned/blacklisted)

 

 

- If this was put into place, there would be no more computer specific CPU/Hard Drive/Network Card based 'XUIDs' anymore. (which have been spoofed before)

 

- Anti-Cheat would be far more effective as the implementation of account-based system would make ban evading difficult.

 

- The certificates would ensure that spoofing is near-impossible.

 

- Community features would be possible (clans, etc)

 

- Accounts should be unique and probably 1-per-steam-account-which-owns-mw2. Otherwise people would generate tonnes of accounts and ban evading would be easier.

 

- This would prevent people from bypassing your non-piracy checks (which I think has been achieved already)

----------------------------------------------------------------------------------------

 

Some drawbacks would be:

- FourDeltaOne needs to be online for registration to be possible.

 

- In case the certificate and private key is lost, they may need to be downloaded from the account server again. (4D1 needs to be online, encrypted private keys would be stored, and some sort of digested password would need to be sent to authenticate the user)

- Passwords can't be changed unless the keypair is renewed + certificate reissued. (E-Mail should solve that issue)

 

- mainly as I hate crypto

 

- You'll need to put in some defenses against crypto attacks. (replay, man in the middle)

----------------------------------------------------------------------------------------

 

Give it some thought though, If you really don't want to do it, that's fine.

I just wanted to make sure you properly considered it.

I like X^emodN.

I prefer cached authentication in case of an offline scenario and the general 'master server' Steam ticket-style authentication in case of an online scenario.

 

Also, who the hell cares if their password is sent over an unencrypted channel? It's not as if this is a banking site or anything else which can have a serious effect in case of abuse. ://

Also, who the hell cares if their password is sent over an unencrypted channel? It's not as if this is a banking site or anything else which can have a serious effect in case of abuse. ://

 

Someone will be using the 4D1 account on IW4M. And leveling up 'prematurely'

Also, who the hell cares if their password is sent over an unencrypted channel? It's not as if this is a banking site or anything else which can have a serious effect in case of abuse. ://

 

Someone will be using the 4D1 account on IW4M. And leveling up 'prematurely'

 

Oh no, as that's such a big crime.

Also, who the hell cares if their password is sent over an unencrypted channel? It's not as if this is a banking site or anything else which can have a serious effect in case of abuse. ://

 

Someone will be using the 4D1 account on IW4M. And leveling up 'prematurely'

 

Oh no, as that's such a big crime.

 

Sarcastic response to a sarcastic statement is no more sarcastic

I prefer cached authentication in case of an offline scenario and the general 'master server' Steam ticket-style authentication in case of an online scenario.

 

Also, who the hell cares if their password is sent over an unencrypted channel? It's not as if this is a banking site or anything else which can have a serious effect in case of abuse. ://

 

Well, that's fair enough.

 

But this would still be able to verify clients and servers securely. Spoofing would disappear. This would be a major step up from what you have now.