New server

[el_matarife]

Transmitting the passwords over TLS would be nice too, including for all the Spring websites.

[el_matarife]

I don't know how my last post a few minutes ago didn't show up, but I was saying that TLS should be used for login on the lobby and all the Spring websites too.

[tizbac]

Implementing ssl sockets on server will be easy, but what is difficult is implementing support on lobby especially tasclient that uses an old very outdated programming language with almost no support

[aegis]

possibly could implement using python scripting, I think all commands are passed through python... though it'd probably... wait, satirik might've implemented my api request for faking a server connection, which would allow all of the socket code to be written in python...

edit:

- HandleProtocol(data)

- PerformConnected
- PerformDisconnected

if these are implemented properly, you can call PerformConnected() / PerformDisconnected() from scripts to make the lobby think it is connected and use HandleProtocol(data) to pass the incoming data from the python socket...

my original plans for those calls were a serverless LAN protocol, but they could also be used to implement SSL sockets ^_^

[Satirik]

Implementing ssl sockets on server will be easy, but what is difficult is implementing support on lobby especially tasclient that uses an old very outdated programming language with almost no support

do you have any idea what you're talking about ?

[aegis]

if my idea is right, it'd actually be harder to implement in springlobby

[tizbac]

Delphi is no longer used i new projects, all ssl implementations for delph that i've found are commercial, only way is using openssl directly maybe.

aegis: you mean adding a python server on embedded python?

[Satirik]

Delphi is no longer used i new projects, all ssl implementations for delph that i've found are commercial, only way is using openssl directly maybe.

aegis: you mean adding a python server on embedded python?

send codegear an email asap then because they're releasing delphi 2010, and the socket compoment tasclient uses supports SSL, you'd better learn to google

[tizbac]

What says if a programming language is dead or not is it's usage in school, if it is no longer teached, new programmers won't use it.
M$ visual basic also if it sucks, it's still used on school so it isn't dead( it is going to be anyway in short time ).
I'm happy for you if you don't have to use openssl directly, but delphi it's almost dead atm.
I've seen only 2 programs made with it, one is tasclient and another is dev c++(which is stalling)

[Neddie]

I believe what defines whether a language is living or dead is whether it is used in a reasonable number of situations given a set time frame. That said, I can't see a reason to use Delphi for anything.

[aegis]

you mean adding a python server on embedded python?

not a server, just a client socket supporting ssl and passing the data to/from tasclient. u

unless you're talking about my "original purpose" comment", then:
it wouldn't be a server, it'd probably be a serverless multicast protocol

[Satirik]

What says if a programming language is dead or not is it's usage in school, if it is no longer teached, new programmers won't use it.
M$ visual basic also if it sucks, it's still used on school so it isn't dead( it is going to be anyway in short time ).
I'm happy for you if you don't have to use openssl directly, but delphi it's almost dead atm.
I've seen only 2 programs made with it, one is tasclient and another is dev c++(which is stalling)

i guess you know what and what is not teached in every school on the world ... and i guess they're releasing a new version because it's fun, im pretty sure they don't expect to sell it ...

you want one more ? total commander ? one more ? phpedit ? one more ? skype ?

I believe what defines whether a language is living or dead is whether it is used in a reasonable number of situations given a set time frame. That said, I can't see a reason to use Delphi for anything.

you can't see a lot of things doesn't mean they don't exist

[tizbac]

maybe it's good idea using separate port for ssl connections anyway, so clients without encryption will still work

[AF]

We can always use a proxy to provide ssl if the actual client doesn't support it natively, but satirik says he can do it therefore we neednt discuss that, the subejcts taken care of.

What command would we suggest for a password change command sent from the server to the client?

Also who would define the hash salts and where would it be saved outside of source?

[SirMaverick]

Also who would define the hash salts and where would it be saved outside of source?

The security is achieved by using hash functions.

If you want that the server does not save the exact bytes that came in you just run any good hash function over the data.

[AF]

Salting improves security. Simply rehashing again doesnt make it anymore secure if you know what hash algorithm is used ( and since we're opensourced...)

• Take dictionary file of MD5 hashes and their passwords
• Hash the MD5 hash using the next step and compare

Its a minor obstacle at best. Salting however would increase the cost of figuring it out massively

[Tobi]

Also who would define the hash salts and where would it be saved outside of source?

Why does it matter who defines them?

Why can't they be in the source?

The trick with salting is to make it impossible to use a single lookup table to link all hashes in a database to a password. So you use as salt some data of the account that is constant, but differs for each account (the registration date, the account ID, the registration IP, or maybe even a string randomly generated when registering and stored in the account, ...)

This way an attacker who has the accounts database would have to generate a new lookup table for every account, instead of being able to reuse the same table for all accounts. This multiplies the time necessary to find passwords matching the hashes by the number of accounts.

Hence it's a wasted effort to save salts in a hidden location - there's no way to make this location better hidden/protected then the accounts itself, because the software which uses the database would always remain a single point of failure, as it NEEDS to read both the database and the salt.

[aegis]

you can also salt with 14 chars, making it impossible to do lookups in most already-existing rainbow tables.

[Licho]

Today server has suffered some HW failure.
To fix it, disks were probably moved to new machine, but ubuntu failed to boot after network card MAC addresses changed. Thats why it took so long to fix it.

[lurker]

There's no way to block a simple dictionary attack, short of using a very CPU-intensive algorithm.
If you want to stop rainbow table use for finding more normal passwords, hashing with a salt, even a known salt, is plenty. And as far as I know rehashing without a salt could be enough, any response from people that know more?