- Home /
Simple HTTPS question
My game uses the WWW object to post data to a nodejs server I have setup. Up to this point I have just been testing things and learning how to post information to my database from within the Unity game using just http.
Now I would like to secure the transmission of data between my game and the nodejs server. I enabled https on the nodejs server and changed the url in my Unity game code to "https". The game runs and seems to communicate with the server just fine. The server is processing the information and returning information back to the game like it was over regular http. But I cannot tell if the traffic in between is actually encrypted or not.
My real worry is the initial transfer of the password in my JSON string. Can someone please tell me if what I have done to setup https will ensure that the JSON string is encrypted during it's travel from my game to the server?
Thank you!
Answer by Sisso · Jul 17, 2014 at 06:19 PM
Yes it is safe. But it is not so simple behind the code.
Your content and headers are encrypted. It is safe to use http://en.wikipedia.org/wiki/Basic_access_authentication for example, where put login and password in headers.
A good tip to test it is use a network listener to see exactly what you are transmiting like Wireshark.
Remember that is always a good practice to audit any request come from users. Anyone can still change your game code and execute bad request.
Do you mean "audit" as in send the username and password in the header of every request? Also, thanks for the Wireshark tip.
You seem very knowledgeable, so I'm going to push my luck and ask one more question.
If someone can look at my code after it has been complied, as you say, then they should be able to replicate every POST request I currently make by adding their username and password to the header and replicating the JSON string in the body. So what is a logical way around this to make sure only the requests created during the runtime of my game are being processed? $$anonymous$$now what I mean? Is there a methodology here I can read up on?
This is the big problem. There is no way around. If they have access to the logical code they can do whatever they want, read and change. $$anonymous$$any of security code is bypassed by a simple change from 0 to 1 in the right if. There is many technics to make "hacker" life dificult, like obfuscate your code, encript your variables, etc. If you want to protect something, the client can't have access. This is the reason that most online game have servers to process most of everything.
Thanks for all your help! I'll try and keep all of that in $$anonymous$$d.