The Underscore Archives

Thanks Guys,

Great tips.

Have added encryption to the score in the AS - descrypting in the PHP.
Also added the timestamp as per your suggestion below Oliver - thanks.

So someone would have to go to the effort of disassembling the SWF to find
the challenge phrase etc...far from difficult but you'd have to really want
to.

There's no major prizes - a small corporate giveaway... just have to be seen
to be trying to limit abuse.

Thanks,

Steve

On Mon, Dec 14, 2009 at 10:26 AM, Oliver Humpage <oliver at watershed.co.uk>wrote:

>
> On 14 Dec 2009, at 10:15, Spandex wrote:
>
> >> It's also worth encrypting the data you send - even though someone
> >> can
> >> get at your encryption key by decompiling the flash app, it'll put
> >> off
> >> the casual cheater.
> >
> > A very lightweight way to do this is to MD5 the score together with
> > some pre-arranged string the server and client agree on. Then send the
> > score plaintext along with the MD5 as "proof".
>
> As a general rule of thumb, include a timestamp in the checksum (and
> don't accept scores at the server end more than a couple of minutes
> old), otherwise you leave yourself open to replay attacks.
>
> Oliver.
>
>
> --
> underscore_ list info/archive ->
> http://www.under-score.org.uk/mailman/listinfo/underscore
>