generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
We use cookies to offer you a better experience. By using Roblox.com, you are agreeing to our Privacy and Cookie Policy.
   
ROBLOX Forum » Roblox » Suggestions & Ideas
Home Search
 

Re: Secure the http!

Previous Thread :: Next Thread 
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:09 PM
I am frustrated -.- I am literally banging my head into a wall.
Could you guys just take the 35 minutes to write up an ASHX web extension
that can verify tokens that are provided by game server requests (Tokens of course would need created) But come on seriously, Nothing can be secure using http requests.

I hate to say it but anyone can spoof the place http requests. I honestly am trying to get this solved so that I can have my items secured before I start getting them out there more. If anyone knows this info:
Type of database
ASHX database connector used
SSL library used (To generate sha256 hashes as validation tokens)


If anyone knows that I could literally write up in 15 minutes the ashx portion of it .-.
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:16 PM
If I don't get a resolve for this vulnerability then I will be forced to act in protest :( By demonstrating in video how easy it is to fake the requests.
Report Abuse
Nteorvolri is not online. Nteorvolri
Joined: 03 Jan 2013
Total Posts: 51733
07 Jan 2015 07:23 PM
why not you actually speak English so 90% of us can understand
Report Abuse
RBXChris is not online. RBXChris
Joined: 05 Jan 2015
Total Posts: 341
07 Jan 2015 07:27 PM
So how would users benefit using HTTPS for server requests?
Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 07:28 PM
or, you know, you could buy an ssl certificate and be done

@nteorvolri
but then how could he flaunt his superior intellect?
Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 07:29 PM
@rbxchris

they wouldn't, really, unless they were using public wifi
Report Abuse
Nteorvolri is not online. Nteorvolri
Joined: 03 Jan 2013
Total Posts: 51733
07 Jan 2015 07:31 PM
"but then how could he flaunt his superior intellect?"
you mean google
Report Abuse
RBXChris is not online. RBXChris
Joined: 05 Jan 2015
Total Posts: 341
07 Jan 2015 07:34 PM
they wouldn't, really, unless they were using public wifi

--

Is there anything valuable that is sent through the request though?

I mean unless you're sending/receiving something that is worth hacking (such as passes or payment information), what are the chances of someone in public wanting to hack on ROBLOX?
Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 07:40 PM
@rbxchris
the only valuable information would be payment/user credentials (and user credentials are only necessary when logging in; otherwise, it uses an API token)

@op
if you're so worried, get a VPN
with your superior programming skills, it should be no problem ;)
Report Abuse
GMANSTA is not online. GMANSTA
Joined: 26 Mar 2011
Total Posts: 539
07 Jan 2015 07:40 PM
@RBXChris

It's not really just that the problem. When connecting to a website, even in the same country as you, your connection may not be directly to the website - usually they bounce through a few routers first. However I highly doubt that it's possible to intercept traffic between these routers (I know some Network Security - but not sure about that being possible)

And as for running SSL in the first place, majority of transactions probably won't be happening in public places, unlike Paypal and other companies. Also the cost would be seen as unreasonable, and who knows what the performance may result in.

[FOR THOSE WHO HAVE NO IDEA WHAT THIS IS ABOUT]

Basically - SSL is a way of encrypted the data you send so that only the Roblox Server will understand, and not some nefarious criminal trying to sniff your data in the middle of the connection.
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:41 PM
Wow everyone completely mis understood this. Okay so your ingame http requests are insecure! I need a way to verify who the request are coming from you see? So therefor I am requesting that roblox make a "webpage" that can verify tokens that are appended to the ingame http requests.
Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 07:43 PM
@justin7674
...why?
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:46 PM
If a cross place store were made or any store for that matter where the info was stored on a webserver. I could easily spoof being a roblox server and write over all of their information. This is something I do not want. The RSA port I am working on for Lua right now won't even be any use because of how vulnerable roblox has the game environment (though I considered using their "secure" datastore for storing the private keys)
Report Abuse
GMANSTA is not online. GMANSTA
Joined: 26 Mar 2011
Total Posts: 539
07 Jan 2015 07:47 PM
Exploiting via the In-Game Connection...

Hmmm... we got us a real hacker here lol
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:48 PM
No it is more like using something like Fiddler to send a regular http request with a small header appended with placeid:#PlaceID

And boom whatever service that webpage was running for roblox is now thinking I am that place server making a request.
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:50 PM
See literally bashing my head into the wall here. I have something that is vulnerable because of this. Just get out if here if you are going to troll.
Report Abuse
RBXChris is not online. RBXChris
Joined: 05 Jan 2015
Total Posts: 341
07 Jan 2015 07:50 PM
"the only valuable information would be payment/user credentials (and user credentials are only necessary when logging in; otherwise, it uses an API token)"

--

I figured that would only be sent when buying something like BC or robux, which is in fact, using HTTPS.

--

"However I highly doubt that it's possible to intercept traffic between these routers"

--

My only question, which I suppose was answered above, was why would someone want to intercept traffic on ROBLOX anyways?

Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 07:50 PM
@justin7674
uh, I don't think they would want you to do that in the first place.
also, it probably wouldn't work because you're trying to make cross-origin requests between servers. you can "spoof" a roblox server all you want, but you won't be able to change anything.
Report Abuse
GMANSTA is not online. GMANSTA
Joined: 26 Mar 2011
Total Posts: 539
07 Jan 2015 07:50 PM
You should never have posted this

RIP Roblox

08/01/2015
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:52 PM
You are all ignorant! Roblox has created a new service for use ingame called the HTTP service. They suggested it could be used for things such as building stores or even cross server leaderboards. However none of this is secure because anyone can fake being the server!
Report Abuse
cpmoderator12345 is not online. cpmoderator12345
Joined: 26 Jan 2013
Total Posts: 15651
07 Jan 2015 07:56 PM
Why not add HTTPSservice?

TAKE DOWN STARBUCKS GROUP OR RIOT!
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 07:56 PM
http://wiki.roblox.com/index.php?title=API:Class/HttpService
Report Abuse
Bob123456789103570 is not online. Bob123456789103570
Joined: 23 Dec 2008
Total Posts: 9531
07 Jan 2015 08:00 PM
@justin7674
i just read up on it (http://blog.roblox.com/2013/12/roblox-enables-http-requests-from-game-servers/)
this seems like it will behave just like any other API
it doesn't matter whether the request originates from roblox, your computer, or any other server. any site that secures its API well will have no trouble. most require documentation sent from the request origin; see authorization platforms like OAuth (https://en.wikipedia.org/wiki/OAuth). go ahead and "spoof" a server; unless you have the proper credentials for a request, it won't work. i don't see many real problems that could be created by the implementation of this feature.
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 08:00 PM
I am just waiting for the responses from the peeps who still think I am talking about the Roblox servers being vulnerable. No, the services using the HTTP Service that will expand upon the games is insecure because roblox has no source verification for their http requests.
Report Abuse
justin7674 is not online. justin7674
Joined: 26 May 2008
Total Posts: 349
07 Jan 2015 08:01 PM
OMG BOB LOOK. MY WEBSITE IS VULNERABLE THAT IS WHAT I AM SAYING. NOT ROBLOX. BECAUSE ROBLOX HAS NO METHODS OF VERIFYING WHO IS TALKING TO MY SERVERS!!!!!!!!! JUST LEAVE BECAUSE YOU ARE LITERALLY USELESS!
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Roblox » Suggestions & Ideas
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image