3.xx
4.xx
How does godot do it’s security. How does it make the connection from client to server secure? So far what it looks like, is it’s open. I want to make it secure so the connection cannot be read or highjacked. Because of passwords.
I am thinking right now, it might be possible to write my own pgp functions, using copy and paste. How could I get the key onto the client?
After reading about modern sniffing attacks I am not worried about it anymore. I only want to give client a key used for passing the password to the server. I think I can just do it without worry.
It’s quite difficult to make the connection secure and fast. I guess you can argue that no connection is secure because it can be intercepted anyways. Unless you know quite a lot about cyber security it might not be feasible to achieve this just because of the various tools and techniques attackers have. It might instead be more effective to implement redundancy such as authentication systems to verify the user and prevent data loss/hijacking. Although if you want to learn networking security, don’t let me stop you.
I would worry.
What I was thinking about, was just encrypting the password and username. As soon as the client connects, the server sends a key for this.
I am thinking that any client connected to server, can sniff all packets? Is that true? Would the server send to the mac address only? rpc_id
There are settings to have everyone talk to each. This could be server_relay. But if you dont use rpc_id(0) then yes only peers receiving packets will see them.
But in general packets only go between peer and server
But sniffing can happen anywhere on the network, especially public networks.
I thought about this new idea. If I can give the client a key to use, then after each time the password and username are used, the server would make a new key, encrypt it and send to client. The client would always have a new key when sending the username and password.
Only problem is, giving the client the first key.
So maybe I can use godot engine’s HTTPS to get the first key? Or just use webbrowser.
I after learning some more about SSL and HTTPS keys and certificates. What they are telling me is I can self sign certificates and make private keys.
But what I don’t understand is, if the client has a public public key, anything created with that public key can be reversed by anyone. I don’t understand how it’s supposed to keep it from getting decrypted.
I know the server has a hidden private key plus the public key, and this used together opens the information. At least this is what it supposed to do. But how does it stop them from decrypting the packet when they have the public key? I don’t understand how it could do that.
Anyways it don’t make since, but I guess it’s working because it has the illusion of it.
So Godot, using an external link explained how to make a public key, and private key. But where do I get the certificate for those keys?
According to Godot’s Documentation, when you give it a key, it must have a certificate too.
I was able to finally learn what was missing. The information for this was fragmented all over the internet.
I now have both the private key, and public key. The crt file is really just the public key. But I still don’t understand how this could possible work.
The crt is not a public key. Somehow your supposed to add your public key to the crt. But I don’t know where to get the crt or how to add it.
I made the private key with the openssl command. Then using openssl command made the public key.
After this I used Crypto class in godot gdscript, to create the self signed x509 certificate using the private key.
It finally worked. Now I have the problem, is I don’t know if it’s really keeping it safe or not.
Godot does not seem to have a function for creating the public key. openssl is needed for that.