SkinSystem icon indicating copy to clipboard operation
SkinSystem copied to clipboard

Published 20 hours ago verified publisher icon SkinsRestorer

[Q&A] HTTP(s) Transport encryption & database hashing

Open ghost opened this issue 4 years ago • 8 comments

Hello, I run a Minecraft server and SkinSystem really helped me out for my players to not have basic Steve/Alex skins. However, I had to remove it because I wouldn't want my players' passwords to be transferred as plaintext (we can't use HTTPS). So yeah, that's the question. Does SkinSystem hash/encrypt/encode these passwords before they get sent to the server? Thanks.

ghost avatar Apr 13 '20 08:04 ghost

SkinSystem use AuthMe for authentication.

riflowth avatar Apr 13 '20 10:04 riflowth

I mean, I'm asking if the password is transferred in a secure way between the client and the server.

ghost avatar Apr 13 '20 10:04 ghost

@gogorz https://github.com/riflowth/SkinSystem/blob/master/resources/server/authenCore.php

riflowth avatar Apr 13 '20 10:04 riflowth

If I'm right, the password gets hashed on the client's computer and then sent to the server?

ghost avatar Apr 13 '20 11:04 ghost

No, client -> password (plain) -> server (encrypt a password to compare in a authme database) note: You can modify SkinSystem sourcecode what ever you want.

riflowth avatar Apr 13 '20 11:04 riflowth

I wouldn't want my players' passwords to be transferred as plaintext (we can't use HTTPS).

I'm sorry, what's your reason not to use TLS? We're basically in the time of click-to-go TLS, you have Cloudflare for free TLS, Let'sEncrypt... You really can't have an excuse for not supporting https!

I'd be glad to help you out, I just need to know the reason why you're so sure you can't support it.

aljaxus avatar Apr 13 '20 11:04 aljaxus

@aljaxus I can't use TLS because we use ZeroTier (think of it as Hamachi) with DuckDNS and none of these services support it. I could add self-signed certs but that would make browsers show warnings like Nooooo don't go there they have a self signed cert they are hack0rs!!11

ghost avatar Apr 13 '20 12:04 ghost

We shouldn't be implementing our own encryption, as we most likely aren't experts in cryptography and will introduce vulnerabilities in such an implementation; We recommend you use a https secure tunnel configuration for your webserver if you want transport encryption. After it gets to the server, it is hashed immediately and compared against it's username:passwordhash database.

Another good question you should be asking: "does minecraft encypt my chat when i do /login?". Either way, end users should be using unique passwords on a per-service basis. I personally use https://ss64.com/pass/

So: If you don't want your AuthMe passwords in cleartext enable TLS for your SkinSystem's server, AND have your Minecraft server only accessible behind an encrypted VPN tunnel such as OpenVPN or an SSH TCP tunnel.

With the MITM discussion out of the way, there's the topic of attackers bruteforcing(bulk-guessing) passwords on your (publicly accessible) SkinSystem instance. By default, SkinSystem blocks IPV4 addresses and IPV6 /64 ranges *regex if they get 3 logins wrong within 24 hours (by using file placeholders and their modification times) Then, if an attacker is bruteforcing a specific username using multiple IP addresses, the login is blocked by the username instead of the IP. *code

ITZVGcGPmO avatar Apr 13 '20 16:04 ITZVGcGPmO