ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
I've seen quite a few posts about stopping "hackers" from breaking into people's accounts. So I've suggested a few ways (which are already tried and true) to secure Roblox since a lot of the suggestions I've been seeing just don't work.
1. HTTPS
One way Roblox could greatly improve security would be to offer https encryption. MITM (man in the middle) attacks are a very easy thing to pull off and it doesn't take that much knowledge to pull one off. If you connect to a public network (school network, coffee shop network, etc) you're at risk of having your cookies stolen (data which the server you're connecting to stores on your computer to save login settings and such, as well as keep you logged in). If someone takes this data they can login as you and do anything you can do other than things which require your p.a.s.s.w.o.r.d. But they'd still be able to delete things, sell things, get you banned, etc.
One downside of https is that it will have a negative affect on performance, but this is really only an issue for slow connections. There should be an option under your account settings to use https or not use it however, that way when you're at home you can keep it disabled but enable it if you plan to log on using a public network in the near future.
2. Two factor authentication
Bruteforce attacks and dictionary attacks wouldn't work if Roblox added two factor authentication. The reason for this is because just a p.a.s.s.w.o.r.d wouldn't be enough to login with. You'd also need to enter a verification code which you'd get from an authenticator application or from an authenticator keychain (Blizzard uses those for example). What two factor authentication does is it gives you a code but that code changes again within the next few seconds. This makes it impossible to break into an account using a bruteforce or dictionary attack, and even if your p.a.s.s.w.o.r.d was known no one would be able to get in unless they physically had your authenticator (so if your phone had an authenticator app on it they'd need your phone to be able to login).
This would also be an option you could select under account settings.
3. CAPTCHA
I don't know if Roblox currently uses this, but if not they should. Basically once you've gotten your p.a.s.s.w.o.r.d wrong 3 or more times you have to do a CAPTCHA test (this makes it impossible/very difficult for bots to break into your account (bots would be using a bruteforce/dictionary attack to try and gain access to your account, or even try to match your username up with a pre-existing database of usernames and p.a.s.s.w.o.r.d.s)). As well as doing this, Roblox should also lock you out of your account for 10 minutes at least if you've gotten your p.a.s.s.w.o.r.d wrong more than 5 times or so. |
|
|
An actual, logical post on how we can stop PGers and scammers legitimately... it seems too good to be true. This is the day I've been waiting for in my whole career as an S&Ier. You have earned infinite support. I think I am literally crying tears of joy.
Thank you. |
|
KevitisJoin Date: 2012-09-01
Post Count: 503 |
GOOD IDEA |
|
pydlvJoin Date: 2011-04-01
Post Count: 5891 |
The log in page does use a secure server. That's why it says https://www.roblox.com/login/default.aspx. Other than that, good ideas. |
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
I know the login page uses https, and I'm glad it does, otherwise the MITM attack could be used to get your p.a.s.s.w.o.r.d. But you can still get the cookies of a logged in account via a MITM attack (I did this at school the other day with a few sites, including Roblox (just to test if I could), from my phone). If you get those you are literally logged in as that person and can do anything you'd normally be able to do when logged in. The only thing you'd be unable to do is anything that requires your p.a.s.s.w.o.r.d while you're still logged in.
If the whole site used https MITM attacks wouldn't work because the connection would be encrypted.
If you want to be secure right now while on public networks you need to setup a VPN and tunnel all your traffic through that (or at least your web browser traffic, so port 80) as that will connect you to wherever the VPN is which wouldn't be running on a public network. However, from the VPN to Roblox would be insecure, but that doesn't matter too much since no one's going to be on your network at home unless your router is unsecure (if your router uses WEP encryption it's unsecure, but most people's routers are unsecure even with WPA due to bad p.a.s.s.w.o.r.d.s). And because of the fact a lot of people don't know how to properly set up a wireless router, that's another good reason for https, as it will protect the user at home who just happens to get unlucky.
"An actual, logical post on how we can stop PGers and scammers legitimately... it seems too good to be true. This is the day I've been waiting for in my whole career as an S&Ier. You have earned infinite support. I think I am literally crying tears of joy.
Thank you."
You're welcome. :P
I was getting sick of all these people who don't understand how these things work posting their "solutions". So I decided to post my own solution since I at least have some understanding of how these things work. |
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
bump |
|
|
100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,% Support
-Gives 99999,- tacos |
|
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
bump |
|
|
Support, I wouldn't want a guy to do that type of attack on my network and basically drain my account to nothing.
{K}Kīñg300000{K} "trust no one, trust nothing." |
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
If you're worried about hackers what you can do now to help with security is:
1. Make a long p.a.s.s.w.o.r.d with letters of different case, symbols, and numbers (this will be much harder to bruteforce/dictionary attack; however, a bruteforce ALWAYS gets the p.a.s.s.w.o.r.d, it's just the more secure the p.a.s.s.w.o.r.d is the longer it takes; it could take a bruteforce attack hundreds of years to crack one p.a.s.s.w.o.r.d depending on it's length and so on).
2. DO NOT use public networks UNLESS you have access to a VPN and tunnel your web connections through that. That goes with anything not using https; if there's no https a MITM attack is entirely possible and quite easy. If there is encryption a MITM attack is impossible. However, the possibility for a MITM attack to redirect you to another page IS a possibility even with https. A MITM attack will NOT work however, if you're on a VPN.
3. Assuming you only use Roblox from your home network you're as secure as your router is. Even on a router using WEP (which is very very easy to crack; can be done in less than 5min with an easy to use tool), you're much better off than on a public network (it also depends on the area; if you're in an apartment building for example you're much more at risk then say, in the middle of nowhere).
If you're using WPA and have a secure p.a.s.s.w.o.r.d however you'll be fine. By a secure p.a.s.s.w.o.r.d I mean something that's random numbers, letters of varying case, and symbols. Or if you have no wifi plain and simple, that's the safest.
No matter what precautions you take however, there's ALWAYS a way around it. It may not be known yet, but if no way is found someone will find it. The best you can do is make it as difficult as possible to get in. Even the things I'm suggesting Roblox use aren't 100% perfect, nothing is, but they'd help with security a TON compared to how it is now.
An example of there always being a way around it; Bluetooth. Up until recently no one could really hack Bluetooth, but that's because we lacked the hardware, Bluetooth adapters are unable to go into monitor mode, severely limiting what you can do with them in terms of hacking. So some guy came up with some hardware which can do it (it's simply a matter of the hardware wasn't made because Bluetooth doesn't need to go into monitor mode for consumer devices). And before anyone gets angry at that guy, it's actually a good thing he did this, as although it's going to mean that many more people's Bluetooth will get hacked, it also means that people will be able to research into these vulnerabilities and secure against them. Same thing happened with wifi.
Anyways, even if Roblox implements the security features I've suggested you as the user should still do your best to remain secure. If you have to use public networks get on a VPN. You can either make your own or rent one (monthly fee for renting one; if you make your own it's free (at least on Linux, I don't know if on Windows you need to buy it but I assume there's a free alternative out there anyways)).
Side note; it's HARD to talk about security with the word p.a.s.s.w.o.r.d being filtered. >_> |
|
|
Support. Brought a tear to my eye. :') |
|
|
100% supported. hacks are for people who can't afford or want to act cool.
Mark my words. |
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
"100% supported. hacks are for people who can't afford or want to act cool.
Mark my words."
Depends on the reasons for hacking. If you're hacking to find vulnerabilities so they can be repaired that's a perfectly legitimate thing. In fact, this suggestion only came about because I was able to gain access to random people's Roblox accounts at my school on the school's network using a MITM attack. But just so we're clear, I didn't actually do anything on those accounts, I simply accessed them to see if it was possible (which again, is why I'm suggesting this, because it is clearly an issue currently).
And it was more than Roblox accounts I could access; I got a few Netflix accounts, a bunch of Facebook accounts, a Tumblr account, and a few Roblox accounts. Didn't do anything with any of them though. And here's the thing, some of those do currently support https. Facebook for example, supports https, it's just people aren't using it because it's not enabled by default.
If you're hacking just to be a jerk though, that's not cool. :P Unless it's just an innocent prank on friends, then whatever, but they might have an issue with that so even that's pushing it.
Something everyone should get is "HTTPS Everywhere"; it's a plugin for Firefox and Google Chrome which gets the secure page of every site which supports https (so Facebook would automatically be using https if you use this plugin, which I do). You can find the plugin on the EFF's site (Electronic Frontier Foundation). Just do a Google search for "HTTPS Everywhere" and look for the EFF's site and you'll find a download for it. |
|
|
I think roblox should do it like steam.
Support. |
|
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
"No.
Some of hackers are helper."
Explain to me why no, and what you mean. The whole point of people hacking to help, is to SECURE the thing they're hacking. If you're saying no you're being completely counter productive. What hackers who are hired to hack a website or database or whatever do, is try to find vulnerabilities so they can be SECURED. I've given a few ways to secure against attacks, one of which I tested myself (the MITM attack). |
|
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
I still don't know what you mean by on. |
|
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
On your way to what? |
|
|
ZukaroJoin Date: 2009-04-14
Post Count: 3830 |
You're still not making any sense and this is getting nowhere. |
|
|
hackers ruin the game! hackers can do anything! once i joined sword fight on the heights and there were these decals on every surface that said "xpro hacks". |
|
|
It's actually quite rare to see a ROBLOXian think of a very logical solution. It's also rare to see a ROBLOXian who really understands what the solution is, they just reply, "YES good idea, when ROBLOX implements this, there will be no more 'hackers'", or simply "COOL" (You find lots of them in the Roblox Blog).
But the best way to secure ROBLOX from "hackers" is to just instruct many people NOT to give their .p.a.s.s.w.o.r.d. and have strong ones. Do not trust any person who will help you if you give them your .p.a.s.s.w.o.r.d.. Simply put, "When it's too good to be true, it probably is". There ARE some people who can literally hack accounts, I met one named "zeroreploid", although that account may be the victim and not the actual hacker, and running through a hacker like that is like getting struck by lightning. It's also a good idea not to get scared when faced with threats like "I'M GONN4 HACK YOUR ACCOUNT IF YOU DON'T GIVE ME 2000 ROBUX". Also, those who hack accounts just to get ROBUX and BC is utterly extremely bored, I mean, it's Virtual anyways, what's the value of it?
If the security crew in ROBLOX is absolutely .i.n.s.a.n.e., they can add AES-256bit encryption... |
|