Applet - server communication - edited code on the applet side - problem!

[Rune Andresen]

Prestudy: I have an idea having a server which you can download an applet
from. This applet can communicate with other peers(applets) trough the
server it is downloaded from.

Question: My question is: Is there any way to tell that the client hasn't
temted with the appletcode?? This is important to make sure nobody is
"cheating".

I now that signed applets can detect eited code from a third party (from
server to client) but is this possible the "other way aorund" - to make the
server sre that the clients havent "hacked" the code??

Regards
Rune J.A

 

[Matt Humphrey]

Prestudy: I have an idea having a server which you can download an applet
from. This applet can communicate with other peers(applets) trough the
server it is downloaded from.

Question: My question is: Is there any way to tell that the client hasn't
temted with the appletcode?? This is important to make sure nobody is
"cheating".

I now that signed applets can detect eited code from a third party (from
server to client) but is this possible the "other way aorund" - to make the
server sre that the clients havent "hacked" the code??

The problem is that no matter how you slice it, all you know about the
client is what it tells you over the incoming connection. Certificates can
be used to ensure client identity, but that's not the problem. Rather, you
have an untrustworthy client that could send invalid results over a valid
communication stream.

Let's say your code is protected such that when it computes a result it also
signs (computes an encrypted hash of) the result. When the client sends the
result it would send the signature (encrypted hash) also, which could then
be verified. This doesn't work because the client has access to the
computation algorithm, the signature algorithm and (most importantly) the
signature key. Only time and complexity make it difficult for the client to
create and sign a false result.

On the other hand, if critical computations always take place on a trusted
machine (e.g. your server) you can guarantee the correctness. It's why
online banking lets you send a transaction to it to transfer funds but does
not trust you to compute the current balance for it.

I think the closest you can get will be to have your communications
mechanism encrypt the result with an embedded key and to obfuscate the whole
thing. You may even want to use the byte codes of the methods as the keys in
order to make de-obfuscation even harder. Just remember that security by
obfuscation is no security at all.

Good luck,
Matt Humphrey (e-mail address removed) http://www.iviz.com/

 

[Phil Powell]

I can't answer your question but maybe you can answer mine:

How can you get an applet to talk to the servlet, then the servlet to talk
back to the applet, and each talk to one another continuously until the
applet is closed? In other words, a chatroom design?

Thanx Ha det bra!

Phil