| |||||||||||||
|
| |||||||||||||
Letter to Editor: Response to Florian Mueller's Release re: "Anti-IP"Letter to Editor: Response to Florian Mueller's Release re: "Anti-IP"Posted Aug 26, 2005 20:21 UTC (Fri) by FlorianMueller (subscriber, #32048)In reply to: Letter to Editor: Response to Florian Mueller's Release re: "Anti-IP" by Ross Parent article: Letter to Editor: Response to Florian Mueller's Release re: "Anti-IP"
It's a fundamental difference whether you control the server or not. Of course you can never rule out the possibility that a patched client (or a third-party client) connects if that unauthorized client uses your protocol. However, you can completely control whether the server grants access. The server has an account database for that purpose. That way, you at least control the commercially relevant part. Sure, there are ways to get access codes, but that's a problem that can be controlled or at least contained. If someone can program a number generator for access codes, then that's just poor design and can be avoided.
In the client-server software that I'm currently developing, a lot of code (it's .NET on both ends) is used on both sides. The client checks for certain permissions only to give the user the fastest possible feedback (or disallow certain actions in the first place), but it's just for convenience. The server has the final say and performs the same checks again. Typically the server has enhanced versions of the respective objects (by way of inheritance) so that the client code doesn't give away too much information that can be used to search for loopholes.
(Log in to post comments)
|
|
||||||||||||