Security update @ 0.10.1d

[cl0wned]

thoughts on new patch?

[pushedx]

Yes, the saved password implementation was seriously flawed. I wrote to them during early CBT days, but they misunderstood my point. I didn't bother trying to fight them on it. I'm glad they decided to address it finally, but it was something that should have been done a lot sooner.

However, I've not reversed their current implementation to see if they did it correctly or not.

How I think it should have been done is as follows::
1. Client sends password to be saved to server
2. Server creates pub/priv key for the IP and associates a special token for verification
3. Server sends encrypted password hash (public key signed) to client only (not either key) which simply saves it to config file.
4. When client logs in again, it simply sends the saved password hash (no processing).
5. The server uses the priv key of the IP to decrypt the hash and checks against the stored token. If it matches, it's a valid password hash to be used. If it doesn't, decline using the password hash.

The reason this would work is because the client never has either the public/private key used to encrypt/decrypt the password hash. If someone steals it or tampers with it, the server's decryption process would fail if the IP was different, and the password hash would be ignored. This is one way to help guard against password hash reply attacks, which was something you could easily do before encryption was added. After encryption was added, the same problem of someone being able to take your insecurely stored password hash was all too easy. Even though it's your fault if someone is able to grab your password hash on your computer, I still felt the implementation was flawed from a security perspective, as they forced you to store your password if you did not clear it out each time yourself manually until Open Beta.

With my proposed method, there's still a weakness of someone being able to steal your account if they are on the same network as you, but from a security perspective, you are screwed regardless if you are saving files on your PC that someone on the network can arbitrarily take.

[melvone]

Damn i must re write my password ...

Thx for infos