Applet - server communication - edited code on the applet side - problem!

Discussion in 'Java' started by Rune Andresen, Sep 17, 2003.

  1. Prestudy: I have an idea having a server which you can download an applet
    from. This applet can communicate with other peers(applets) trough the
    server it is downloaded from.

    Question: My question is: Is there any way to tell that the client hasn't
    temted with the appletcode?? This is important to make sure nobody is
    "cheating".

    I now that signed applets can detect eited code from a third party (from
    server to client) but is this possible the "other way aorund" - to make the
    server sre that the clients havent "hacked" the code??

    Regards
    Rune J.A
    Rune Andresen, Sep 17, 2003
    #1
    1. Advertising

  2. "Rune Andresen" <> wrote in message
    news:bka2i3$npl$...
    > Prestudy: I have an idea having a server which you can download an applet
    > from. This applet can communicate with other peers(applets) trough the
    > server it is downloaded from.
    >
    > Question: My question is: Is there any way to tell that the client hasn't
    > temted with the appletcode?? This is important to make sure nobody is
    > "cheating".
    >
    > I now that signed applets can detect eited code from a third party (from
    > server to client) but is this possible the "other way aorund" - to make

    the
    > server sre that the clients havent "hacked" the code??


    The problem is that no matter how you slice it, all you know about the
    client is what it tells you over the incoming connection. Certificates can
    be used to ensure client identity, but that's not the problem. Rather, you
    have an untrustworthy client that could send invalid results over a valid
    communication stream.

    Let's say your code is protected such that when it computes a result it also
    signs (computes an encrypted hash of) the result. When the client sends the
    result it would send the signature (encrypted hash) also, which could then
    be verified. This doesn't work because the client has access to the
    computation algorithm, the signature algorithm and (most importantly) the
    signature key. Only time and complexity make it difficult for the client to
    create and sign a false result.

    On the other hand, if critical computations always take place on a trusted
    machine (e.g. your server) you can guarantee the correctness. It's why
    online banking lets you send a transaction to it to transfer funds but does
    not trust you to compute the current balance for it.

    I think the closest you can get will be to have your communications
    mechanism encrypt the result with an embedded key and to obfuscate the whole
    thing. You may even want to use the byte codes of the methods as the keys in
    order to make de-obfuscation even harder. Just remember that security by
    obfuscation is no security at all.

    Good luck,
    Matt Humphrey http://www.iviz.com/
    Matt Humphrey, Sep 17, 2003
    #2
    1. Advertising

  3. Rune Andresen

    Phil Powell Guest

    I can't answer your question but maybe you can answer mine:

    How can you get an applet to talk to the servlet, then the servlet to talk
    back to the applet, and each talk to one another continuously until the
    applet is closed? In other words, a chatroom design?

    Thanx Ha det bra!

    Phil

    "Rune Andresen" <> wrote in message
    news:bka2i3$npl$...
    > Prestudy: I have an idea having a server which you can download an applet
    > from. This applet can communicate with other peers(applets) trough the
    > server it is downloaded from.
    >
    > Question: My question is: Is there any way to tell that the client hasn't
    > temted with the appletcode?? This is important to make sure nobody is
    > "cheating".
    >
    > I now that signed applets can detect eited code from a third party (from
    > server to client) but is this possible the "other way aorund" - to make

    the
    > server sre that the clients havent "hacked" the code??
    >
    > Regards
    > Rune J.A
    >
    >
    Phil Powell, Sep 17, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. nick
    Replies:
    3
    Views:
    3,183
    Eliyahu Goldin
    Dec 15, 2004
  2. Mythran
    Replies:
    2
    Views:
    506
    Mythran
    Jan 22, 2005
  3. Replies:
    1
    Views:
    913
    Sudsy
    Dec 8, 2004
  4. venkat
    Replies:
    7
    Views:
    554
    Joshua Cranmer
    Mar 18, 2007
  5. Replies:
    1
    Views:
    715
    Norman Yuan
    Mar 22, 2007
Loading...

Share This Page