Hacker News new | ask | show | jobs
by BHSPitMonkey 895 days ago
Or that the session ticket verification flow needs connectivity between the game server and Valve's (apparently very slow at times) auth server.

Presumably a faster and more robust solution would be for the Steam client to obtain (and hang onto) a signed token (from Valve) with a lifetime of a few hours, and whenever you connect to a game server that token is sent over where it can be validated locally against a public cert issued by Valve (that comes distributed with the game server contents).
1 comments
charcircuit 895 days ago
The problem with that approach is that a malicous server can replay tokens to impersonate players on another server.
link
GranPC 894 days ago
This exact thing happened about a decade ago, when someone released a tool called Serenity that allowed you to spoof your SteamID using recorded tickets. It was especially chaotic for the Garry's Mod community, since most servers have admin tools gated behind SteamID checks.
link
adobrawy 891 days ago
To protect against replay of the token associated with the certificate, simply challenge the client to sign the value specified by the server eg. random value+server ID.

However, it smells like self-made crypto.

link