ProjectLighthouse icon indicating copy to clipboard operation
ProjectLighthouse copied to clipboard
verified publisher icon LBPUnion

True Authentication for Users

Open m88youngling opened this issue 3 years ago • 6 comments

It was described to me that there is no way to verify the authenticity of a login ticket.

I don't know about you but that uhh...sounds bad.

Some ideas I've heard on Discord,

  • PSN users can add a code to their profile About Me that can be used to verify themselves.
  • RPCN users can add a specific user.
  • in-game CAPTCHA implemented through photos or within a level.
  • 'Codex' method in game. Level generates a code, Lighthouse website let's you punch the code in. If it requires the client console to post to the server directly instead of from the website, use logic to punch another code back in on the PS3 that sends an encrypted score number and ends the level. Score is posted to the server and the server determines if it passes the security challenge.

Another note: methods should not be machine readable. Direct over HTTP information can be read by bots.

Any other ideas?

  • Ask RPCN devs to provide additional API support for RPCN (suggested by @TorutheRedFox )

m88youngling avatar Sep 25 '22 19:09 m88youngling

first

Ezoiar avatar Sep 25 '22 21:09 Ezoiar

maybe working with rpcn developers to create an api for validating the tickets against a specific rpcn instance for rpcs3

TorutheRedFox avatar Sep 26 '22 16:09 TorutheRedFox

maybe working with rpcn developers to create an api for validating the tickets against a specific rpcn instance for rpcs3

A viable option I'll add to the list, although I find it unlikely that RPCN devs will do that. I'd rather not rely on them if we can help it, but you are correct that is something we should consider

m88youngling avatar Sep 26 '22 17:09 m88youngling

it'll in general help with many servers because a lot of games rely on the server knowing who your friends are to be able to send multiplayer invites

TorutheRedFox avatar Sep 28 '22 17:09 TorutheRedFox

You're already edit the eboot, so why edit the login URL as /login?device_setup_password=blahblahblah. Sony already does with PSN accounts on the latest PS3 update.

ghost avatar Oct 21 '22 23:10 ghost

You would be leaking your login information over HTTP. Even if the server was HTTPS the value in the url is still plaintext.

Slendy avatar Oct 21 '22 23:10 Slendy

You would be leaking your login information over HTTP. Even if the server was HTTPS the value in the url is still plaintext.

HTTPS encrypts URIs though? but yeah using HTTP can leak it

TorutheRedFox avatar Oct 31 '22 11:10 TorutheRedFox

You would be leaking your login information over HTTP. Even if the server was HTTPS the value in the url is still plaintext.

HTTPS encrypts URIs though? but yeah using HTTP can leak it

Yeah ur right about https, not a good idea regardless though.

Slendy avatar Oct 31 '22 15:10 Slendy

Operation Mimic's completion closes this issue.

m88youngling avatar Nov 28 '22 15:11 m88youngling