[SEC] AuthMC - Global Authentication

What if we don't run AuthMC and just run our own rogue version of it? You have no sense.

 

Let me list some flaws with this:

• If this gets popular, expect to be investing thousands in DDOS protection
• No HTTPS
• You are supporting offline servers, killing mojangs profits.

 

• If he's simply using GET, we can easily just run a force break by sending multiple requests.

 

Out of curiosity, what anti-bot protections are in place?

I guess I'm thinking it would be difficult to get rid of griefers/etc once this becomes popular if they register a nice stash of accounts and use proxies (which is essentially what they do now with actual MC, where accounts are paid for).

Also, as lmc said you're treading on very, very thin water with Mojang. Essentially you're taking them out of the equation, so no one would ever need to pay for MC. Just expect a battle there.

 

- For number one, there will be no problem. I got everything covered for that "if" statement.
- For number two, you *might* want to read our previous posts...
- For number three... We maybe support offline servers, but we do not kill Mojang's profits. There are many more features players (including myself) want to get.

It's very easy to delete bot accounts with my tools, and plus, when I get the site renewed, I will be integrating a Re-Capacha protection.

About the battle part, we are not violating any of Mojang's terms, all we do it mentioning a Trade Marked name. Which is explained to be owned by Mojang at the end of the page.

 

Sorry for being a derp but right when you install the plugin and login it will ask for you to register, or do you have to change that in the config, or this plugin doesn't support that

And if someone could help me out, i get this error in the console http://pastebin.com/GRJK39PW

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Hello, thanks for using our plugin!
You need to go to http://www.authmc.tk/ and register your account. Then do /login password.

That bug has been reported a couple of times, it will be fixed with the next PRP3.2 version.

 

PRP 3.2 will be out as soon as I get back fom the beach. Just trying to soak up some of this rare British sun

 

It's rare? I had plenty when I had my trip to London, guess I was lucky

 

Pay a visit over Crete, we got Sun 365 days /year...
Air Conditioning on all the time

 

We already have xAuth, and AuthDB. Why another plugin .

 

Well basically you won't need those plugins... And your players won't need to remember loads of passwords for loads of servers... Just one for every server with AuthMC :3

EDIT: ShootToMaim plus you don't need any MySQL space cause it's all online...

Its the middle of summer and I have a cold. Everyone has a cold. Mind fuck.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

How will you be funding DDOS protection? Im very curious on this. (Im not trying to be a d*ck to you or anything).

 

This is explained in the plugin description which I guess you didn't read, as well as the graphical presentation.

Who said that?

 

You said you had it covered for DDOS protection.

 

Who said we will buy DDoS protection?
We'll do something easier & free...

 

Good luck finding free ddos protection, it dosent even exist. Expect to be paying around 500 USD->2,000 USD per month for DDOS protection, its nasty.

 

Just found out the company I had in mind stopped offering free DDoS protection,
but I found another one. We'll see.

 

So what happens if someone registers my username without me knowning? I wouldn't be able to log into any server running the plugin?

 

Just open a ticket at the upcoming help desk. We are über quick at responding Premium Minecraft accounts will always get priority over cracked/free usernames. So just prove to us that you own the account and bam! You can have the account within minutes

The plugin is open source

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Code:

@EventHandler
	public void onPlayerCommandPreprocess(PlayerCommandPreprocessEvent event) {

This isn't good enough. The plugin I use that records events is set on LOWEST priority (meaning it's executed before LOW, NORMAL, HIGH, HIGHEST, MONITOR). You'll have to set the priority to LOWEST too.

Code:

@EventHandler(priority=EventPriority.LOWEST, ignoreCancelled=true)
    public void onPlayerCommandPreprocess(PlayerCommandPreprocessEvent event) {

 

I don't know anything about Java, but I'm pretty sure it would need priority = Highest / Monitor...

 

That's not how priority works. They are executed in the order :
LOWEST
LOW
NORMAL
HIGH
HIGHEST
MONITOR

This is because someone at HIGHEST could uncancel the event if they wanted or prevent it from being uncancelled by another plugin.

An event of priority MONITOR cannot be changed and is used by loggers to verify the outcome of an event. It is used for example by BigBrother, HawkEye...

http://forums.bukkit.org/threads/getting-your-priorities-straight-the-plugin-version.788/

 

Oh, I see. Thanks for the info

 

That is code from PRP 3.2. The next update sorts this out.

 

XENGS kezz101

Your concept at the moment is inherently very insecure. No auth system that allows possibly rogue servers to handle credentials valid on other servers can possibly be secure.

How do other clients know what you chat, write on signs, or write in books? They are notified through the server. The server is the weak link here, as it handles all your actions, messages, and commands.

Try as hard as you like to hide password-containing messages and commands from other plugins, but hackers will always be able to modify the server itself and overcome your protections.

My suggestion is to make the authentication take place on a webpage, so you can use SSL and make all sensitive information go directly to your servers. If the password is correct, have a certificate-protected subdomain (to prevent spoofing) tell the server to let you in. This will solve the problem of rogue servers.

I believe this system will take away some revenue from Mojang by encouraging cracked servers, but if you still want to make AuthMC, at least make it secure Otherwise, this plugin will be a danger to servers that have it and to Minecraft as a whole.

After reading through the rest of this topic, I would like to retract all my previous hopes for this plugin. The authors of this plugin are dangerously overconfident in their plugin's security, and this plugin WILL be a danger to all servers that have it installed and the players who play on those servers.

= Server owners and hackers are unable to obtain your information!
Wrong, hackers would know how to read raw packets from clients. They could steal your password even before it reached CraftBukkit's event system.

= Practical use of global plugins like McBans on offline mode servers.
Wrong. With your account stolen due to the technicality above, you would be subject to undeserved bans.

= No safety difference than online mode authentication.
Wrong. Online mode authentication goes through Mojang's HTTPS servers directly. AuthMC authentication goes through untrusted, possibly rogue Bukkit servers before reaching the verification servers.

= Eliminates griefers, even with no integrated anti-griefing tools.
Huh? If this plugin is less secure than online-mode, how is it supposed to keep griefers out better than Mojang authentication?

= Basic and sufficient anti-bot protection.
Sure... The plugin authors apparently don't realize that most bots are stolen accounts, and this system will cause massive account theft. Watch as the authors of this plugin ban hundreds and thousands of bots to find that they've banned their entire user base.

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

Until 1.3, there's servers out there able to steal your session if you join them. Now the concept of your plugin is that you type your password to the server. It's even easier to steal your session like this. A server owner could pretend to use your plugin, but they are actually phishing.

 

As of today I will be stopping development on AuthMC. This is due to the gaping flaws in the concept of online authentication and the major security issues pointed out by you guys on the Forums. I do not wish to support offline-mode servers at all and any loss to Mojangs profit caused by something I have done/produced is not what I am here for. I would prefer to stick to making plugins that aid people's gameplay on legit Minecraft servers.

Thank you all for your help in pointing out the issues with this plugin.

 

Ok. Glad you all made Kezz quit, thank you. Now I need to find a new developer good at coding as him, and willing to code this. Great. (Yes, I hate all you guys that made him quit.) While "sleeping" I found out a new idea to redesign the plugin and how it works, and now I can't do it Why? I don't have a developer. Why? They told them a thousand times the plugin is insecure, using the SAME excuses. SSL Certificate for an HTTPS environment? Sure. I said A THOUSAND times I'll get one AFTER the beta! PRP is designed to be tested!
Ok, Let's pretend I'm calm and tell you my idea.
The user registers at the site with a username and a password.
The next day, when he wants to log in, he logs-in, and clicks "Authorise IP".
Once he joins a server, the server sends using POST the player's username and IP.
Se the server owners don't have anything to do with the password, but the players IP.
And there also wouldn't be the need of /login.
From my side (PHP), it will take some time to be created, but from the Java developer's side, it will need the WHOLE plugin to be recoded. So, if you know any other good developer please reply or PM me. Except if Kezz decides to come back :/

 

Using IP addresses for authentication is the worst security concept ever thought of.
Not to mention that your entirely intent with this plugin is clearly providing another means of authentication for Minecraft, which endorses pirating of the game, something that is not only illegal but entirely wrong for an indie game where the user is given as much freedom as we are.

I hate people like you.