Ryzom - View Single Post

gcaldani · October 19th, 2009, 06:33 PM

In my opinion, there is only one solution to the security holes:

ryzom.com must offer services to external applications, with a transaction service for the authentication of the user, so only official ryzom will receive the sensible data and just give the external application the required authorization to access its service.

Everything MUST be hosted in a secure server environment, similar to secure.ryzom.com (that cannot be directly used for this, so ryzom need a new server or change atys.ryzom.com as a secure server, installing a new certificate).

Personally i'm just using the banner service, but I will not use anything else in this insecure environment.

Actually, the problem is not losing the API key or having it hacked, because I don't care at all about people spying my characters, but sure I will NEVER enter my account password outside ryzom.com AND without any security encryption.

Be aware that, while a good game (and ryzom is) can be recovered with wise developing, a bad reputation related to security and user sensible data will be very hard to recover, so, please, be wise and think a bit more before opening the game to people outside the owning organization.

Said that, i like the idea of the API, i just didn't liked the actual approach.

October 19th, 2009, 06:33 PM	#30
gcaldani Join Date: Dec 2004 Location: Virginia Falls, Hidden Source Posts: 441	Re: New Patch 1.6.1 for our MMORPG Ryzom In my opinion, there is only one solution to the security holes: ryzom.com must offer services to external applications, with a transaction service for the authentication of the user, so only official ryzom will receive the sensible data and just give the external application the required authorization to access its service. Everything MUST be hosted in a secure server environment, similar to secure.ryzom.com (that cannot be directly used for this, so ryzom need a new server or change atys.ryzom.com as a secure server, installing a new certificate). Personally i'm just using the banner service, but I will not use anything else in this insecure environment. Actually, the problem is not losing the API key or having it hacked, because I don't care at all about people spying my characters, but sure I will NEVER enter my account password outside ryzom.com AND without any security encryption. Be aware that, while a good game (and ryzom is) can be recovered with wise developing, a bad reputation related to security and user sensible data will be very hard to recover, so, please, be wise and think a bit more before opening the game to people outside the owning organization. Said that, i like the idea of the API, i just didn't liked the actual approach.