[Q&A] HTTP(s) Transport encryption & database hashing

[ghost]

Hello,
I run a Minecraft server and SkinSystem really helped me out for my players to not have basic Steve/Alex skins. However, I had to remove it because I wouldn't want my players' passwords to be transferred as plaintext (we can't use HTTPS). So yeah, that's the question. Does SkinSystem hash/encrypt/encode these passwords before they get sent to the server? Thanks.

[riflowth]

SkinSystem use AuthMe for authentication.

[ghost]

I mean, I'm asking if the password is transferred in a secure way between the client and the server.

[riflowth]

@gogorz https://github.com/riflowth/SkinSystem/blob/master/resources/server/authenCore.php

[ghost]

If I'm right, the password gets hashed on the client's computer and then sent to the server?

[riflowth]

No, client -> password (plain) -> server (encrypt a password to compare in a authme database)
note: You can modify SkinSystem sourcecode what ever you want.

[aljaxus]

I wouldn't want my players' passwords to be transferred as plaintext (we can't use HTTPS).

I'm sorry, what's your reason not to use TLS? We're basically in the time of click-to-go TLS, you have Cloudflare for free TLS, Let'sEncrypt... You really can't have an excuse for not supporting https!

I'd be glad to help you out, I just need to know the reason why you're so sure you can't support it.

[ghost]

@aljaxus I can't use TLS because we use ZeroTier (think of it as Hamachi) with DuckDNS and none of these services support it. I could add self-signed certs but that would make browsers show warnings like Nooooo don't go there they have a self signed cert they are hack0rs!!11

[ITZVGcGPmO]

We shouldn't be implementing our own encryption, as we most likely aren't experts in cryptography and will introduce vulnerabilities in such an implementation; We recommend you use a https secure tunnel configuration for your webserver if you want transport encryption. After it gets to the server, it is hashed immediately and compared against it's username:passwordhash database.

Another good question you should be asking: "does minecraft encypt my chat when i do /login?". Either way, end users should be using unique passwords on a per-service basis. I personally use https://ss64.com/pass/

So: If you don't want your AuthMe passwords in cleartext enable TLS for your SkinSystem's server, AND have your Minecraft server only accessible behind an encrypted VPN tunnel such as OpenVPN or an SSH TCP tunnel.

With the MITM discussion out of the way, there's the topic of attackers bruteforcing(bulk-guessing) passwords on your (publicly accessible) SkinSystem instance. By default, SkinSystem blocks IPV4 addresses and IPV6 /64 ranges *regex if they get 3 logins wrong within 24 hours (by using file placeholders and their modification times) Then, if an attacker is bruteforcing a specific username using multiple IP addresses, the login is blocked by the username instead of the IP. *code