[Feat Req] Proper Network Encryption (+SSL/TLS?)

We currently have our own system, but it would've been wayy easier and more legible if this was native:

Currently, Photon PUN *does* sort of have an encryption feature -- but it doesn't do much good if the encryption key is sent with the message ;p we actually tried Photon's encryption, at first, until we realized this when we had an attack maybe 6 months ago after analyzing the traffic.

If it was offered, I'd probably swap our system with the native PUN one just for code legibility. And thinking about future projects.

Or, more importantly, how come TLS/SSL does not seem to be enabled so encryption wouldn't be necessary? I'm sure there's a reasonable explanation, but I'm curious what the roadblocker is.

Comments

  • JohnTubeJohnTube mod
    edited January 10
    Hi @xblade724,

    but it doesn't do much good if the encryption key is sent with the message ;p we actually tried Photon's encryption
    What do you mean?

    Encryption keys are exchanged between client and server and not between clients.
    Read more about this here.

    how come TLS/SSL does not seem to be enabled so encryption wouldn't be necessary?
    I don't think TLS is commonly used in non-webbrowser based realtime games. Also what does it add to Photon's built-in encryption?
  • Can you elaborate? We're not sending keys in the messages.
    How is your system doing this and how is it safe?
  • xblade724xblade724
    edited January 10
    > Can you elaborate? We're not sending keys in the messages.
    https://i.imgur.com/8HeuAMY.png
    Using the PUN encryption can be decrypted with WireShark. It seems that the key is included within it when sent this way.

    > how is it safe?
    It's not ;D that's why I was wondering! We use our own system to secure network traffic, instead, after discovering this (about 8 months ago+).
  • Using the PUN encryption can be decrypted with WireShark. It seems that the key is included within it when sent this way.

    Encryption in Photon is done per command and only on demand. Typically, whatever you're sending is temporary info and to be read by the others in the room, so encrypting positions (which everyone has anyways) is just a waste of performance.
    The RpcSecure method can be used where needed, yes. Are you saying you found a RpcSecure message in plain text in Wireshark?

    I meant to ask: How is your system secure? Or in more detail: How is it more secure than ours?
  • @xblade724 : Care to elaborate how your encryption works and how it's better?
    If that's secret but you would share it with us, then mail: [email protected]

    Thanks.
  • Re-checked encryption for RpcSecure().
    It's working just as expected, provided you set the "encrypt" parameter to true.
Sign In or Register to comment.