Tremulous Forum
General => General Discussion => Topic started by: Flower on August 23, 2007, 09:42:35 pm
-
I'd like to know why the GUID is not unique for each server you join. It's not hard to copy a GUID of someone else.
Example:
You own your server. When somebody join, you can see on the console his complete GUID. If you figure a way to replace your and send it to a server when you join, it's easy to get his admin (if he is) and be a turd. I already heard some guy from S11 did it and I'm pretty sure it's not hard.
By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.
-
Server unique guids can already be enabled.
-
how am to do that
-
By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.
Of course, that doesn't stop them from spoofing your guid for that server and any others they see you on, individually.
-
get TJW's newest client, cl_guidserveruniq 1
-
Most of the server have this option on?
-
Most of the server have this option on?
it's a client option... it prepends the server ip and the server port (separated by a colon) to the qkey before taking the md5sum.
-
By using a using a unique GUID for each server, you are sure that nobody around can take your GUID and go on another server with it because it's different for each server.
Of course, that doesn't stop them from spoofing your guid for that server and any others they see you on, individually.
The way guid's operate could be changed.
The client would send a string to the server, the server would remember that guid, but in /!listplayers it would only show the checksum of that guid.
This would make it nearly impossible to steal a guid, as only the server operator can see the entire guid. Everyone else just see the checksum. (It would be possible to try every guid combination untill you found the one with the checksum that a person had, but it would take a long time.)(Someone could also start a fake server just to gather guid's, but most of us don't go onto servers we don't know of, or get good ping on.)
This also has the desirable side effect of making it hard to make a fake guid that displays as ***l33t*** or some such thing.
-
it's not about !listplayers, where only some digits are shown. ATM !listplayers is absolutly useless to harvest guids.
Matt, please read up on what you are talking about .)
-
Matt, please read up on what you are talking about .)
I actually can't seem to find info about it. I googled and checked tjw's site. I found nothing about it.
Do you know of a good place to get information on it?
-
If none of the usual links/sites work, try the source. or head on over to a server check the guids from the log with what !listplayers gives you.
-
The only person that can steal the GUIDs is the server admins. You get the full 32 bytes string when you are an admin. It's also easy to change, but I won't explain it. And now that I know that the unique GUID is client side, I'll set it up and it'll be ok.
-
The only person that can steal the GUIDs is the server admins.....
If you wanted to make GUID completely save, a solution could be that the GUID is only send by the client to a global GUID validator server somewhere, and that that GUID validator server just tells the server who it is (e.g. just sends the md5 checksum to the tremulous server).
This way the tremulous server would never receive any GUIDS and it couldnt be spoofed.
However, since GUIDS can now only be compromised locally on one server (due to cl_guidserveruniq) it doesn't seem to be worth the effort.