[MUD-Dev] secured mud connections

William Leader leader at k2wrpg.org
Tue Mar 15 16:17:58 CET 2005 

Ammon Lauritzen wrote:

> I doubt I need to preach the virtues of such things to this crowd,
> but am curious if anyone else is concerned. Nobody with half a
> brain uses vanilla telnet for their remote logins any more, and
> any good webmail site uses https, why should muds be any
> different?

Ammon,

When I was first building the network code for my system, I had
seriously considered using some sort of secure sockets for it, but I
eventually decided against it. If anyone were to look at the code
now, they would see that there still is an empty block of code where
it could be implemented if anyone ever cared enough. Any way here
are my reasons.

At the time there weren't any good libraries that were free. I
couldn't justify paying a few hundred dollars for what is
essentially my hobby. This has probably changed now that things like
OpenSSL and STunnel are available for Windows (which is my
development platform). There were a handful of free options like
using the crypto API of windows and still weren't really secure.

The other problem I was facing was overhead. Encryption and Ciphers
can be CPU hogs. On the client end this wasn't going to be a
problem, but several hundred secure connections on the server end
would be a problem. The only reasonable compromise that might have
worked would have been to encrypt the login information and left the
rest of the packets unencrypted. This too has probably changed as
this was a few years ago when I last looked at it.  Faster hardware
and more efficient implementations probably make this negligible
today but back then it was a concern.

When I did go implement secure logins, I had so much trouble getting
it to work that I finally gave up. Admittedly I was probably a
pretty crappy programmer back then. My rationalization for giving up
was it is only a game. If I were running a bank or providing some
personal communication service like email then it would be a much
bigger priority. What's the worst thing that could happen? Someone's
account might get hijacked and they loose their +1 Vorpal Blade of
Leetness? I suppose from a commercial offerings point of view
preventing this sort of thing is important to reduce customer
service costs.

In the end I left empty code blocks in place to implement it later
if it became important, but as long as what I was doing was
available for free, and was done as a hobby I just couldn't justify
it when there were so many other interesting things to work on like
NPC mechanics.

-Will
_______________________________________________
MUD-Dev mailing list
MUD-Dev at kanga.nu
https://kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list