“浏览器游戏的未来”有多安全? [英] How safe is "the future of browser gaming"?
问题描述
让我举个例子:想象一下这个平台当你赢得比赛时,你获得徽章的比赛,例如,非常难的水平。当您实际赢得此徽章时,会向服务器发出请求,以便更新您的在线个人资料。对于黑客来说,发送这个请求并获得徽章并不是非常简单,而不需要玩真正的游戏?因为:
我没有看到防止黑客获得徽章的方法...是有什么方法可以让这个游戏安全吗?
是的,如果你设计了这样的游戏,那将很容易黑客攻击。但为什么这个特定于HTML5?你可以用任何类型的游戏来做到这一点。即使使用本地桌面游戏,您仍然可以伪造该请求。唯一的区别是伪造HTTP请求比桌面游戏的逆向工程请求更容易。
解决方案是添加某种验证到胜利 - 实际的算法会因游戏而异。也许有服务器跟踪游戏的进度,而用户正在玩。例如,如果它是一盘国际象棋游戏,则可以将所有动作发送到服务器,并确认动作是否正确。不过,即使是实时游戏,这也会变得更加复杂。
但是无论您决定使用哪种算法,它都会被击败。即使是我刚才提到的国际象棋验证也可以被绕过:您可以创建自己的有效国际象棋游戏,每次只向服务器发送相同的动作,以确保游戏的有效性。 (这是假设玩家反对电脑 - 让两个人相互对抗会让事情变得更容易。)
HTML5 will be widely adopted as a way to design games, is the prediction. But I have my questions about this: how can an online HTML5 game ever be secure?
Let me give you an example: imagine this platform game where you gain badges when you win, for example, an extremely hard level. When you have actually won this badge, a request is made to the server, in order to update your online profile. Isn't it extremely simple for a hacker to just send this request and gain the badge, without playing the actual game? Because:
- The client-side source code is visible and impossible to hide
- It is possible to execute Javascript from the command-line
I don't see a way to prevent this hacker from gaining his badge... Is there any way to make this game safe?
Yes, if you designed your game like that, it would be very easy to hack. But why is this specific to HTML5? You could do that with any type of game that was written like that. Even with a native desktop game you could still fake the request. The only difference is that faking HTTP requests is easier than reverse-engineering requests made by a desktop game.
The solution would be to add some kind of "validation" to the victory--the actual algorithm would vary from game to game. Maybe have the server track the game's progress while the user is playing. If it were a game of chess, for example, you could send every move to the server and have the moves validated to make sure they work out correctly. This gets more complicated with real-time games, though.
But whatever algorithm you decide to use, it will be defeated. Even the chess validation that I just mentioned could be bypassed: you could just "create" your own valid game of chess and just send the same moves to the server every time, ensuring that the game was valid. (This is assuming that the player is against a computer--having two humans play against each other would make things easier.)
这篇关于“浏览器游戏的未来”有多安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
