forums.smartfoxserver.com

k0tbegemot wrote:you are joking right? do u really consider hard coding fixed encryption key into flash client acceptable solution?

Noone said you should take this simple example. It's simply to illustrate that encryption can be done easily without producing huge overhead over the whole protocol.

like I said in my previous reply, to handle encryption keys securely, you will have to re-implment big junk of SSL and 10 to 1 that your implementation will be less secure and less efficient than actual SSL.

It is easy to encrypt data. It is far from trivial to make it impossible (or even difficult) for "bad guys" to extract keys.

There are only 2 possibilities:
1. If the attacker has access to the memory of your application then SSL doesn't help you at all. The opposite is the case, the SSL lib can be found in memory more easily than your own implementation.
2. If the attacker is only on the network accessing the network-stream encrypting packets with AES does the job since there is no way to decrypt it.

You have these 2 scenarios only and both do not require SSL. Seriously, no offense but you only need it when you are unable to implement it yourself - there is no other reason i could think off.

3rd variant (and most probable): if attacker has access to flash application (for example by downloading it from your server... as any user will do)... s/he can extract key and reverse engineer encryption algorithm.

I've posted my solution in a new thread: http://forums.smartfoxserver.com/viewto ... 18&t=17244
In my transparant solution, no source code is touched

For future references: we end up using hybrid approach. Client first connects via https to jetty (which is part of Smart Fox Server). Our custom servlet generate pair of encryption keys to be used to encrypt communications between client and server and returns these keys to client (all these done via HTTPS so keys can not be sniffed). Once client received the keys, normal Smart Fox communication protocol is used but all data encrypted with these keys.

Seems like a good idea.
What key length are you using, if I can ask.

As announced in our blog, connection encryption will come with the next SFS2X release, 2.10

A few more details are discussed here: http://smartfoxserver.com/blog/?p=163

Stay tuned

Any news about the 2.10 release ?

What level of flexibility will we have about the activation of this feature ? We have multiple clients (web / ios / unity) that connect to the same smartfox server, and we would like to enforce users to use an encrypted connexion. But since we do not have any control over Apple AppStore, it is hard to have all clients updated at the same time.

Would that be possible to test a preview version of this update to test the TLS encryption ?

You can send us an email after April 15th and I will be able to send a stable preview for you to test. We have already run lots of tests, even on a large scale.
Support for iOS and C++ is still missing. The other clients are supported (C#/Unity, Flash, Java/Android etc...)

As regards activating the feature, it's just a matter of adding a few lines of code to your application (1 call and 1 event handler) and recompile with the new API.

An official release date is not set yet as we're finishing the missing API and preparing other interesting new stuff

Excellent! Actually our iOS is using Unity so it should be good for us!

I agree with all of your points Lapo, I don't see a huge importance in encrypting the connection as it currently stands. You might make it hard to hijack data, but the user might then target the game source itself and perform a type of cheating with it instead. As long as you check data carefully server-side, connection encryption is less important.

Connection encryption is available in the latest SFS2X 2.10.0, released today:
http://www.smartfoxserver.com/download/sfs2x#p=updates

cheers