Closed HammerGS closed 3 years ago
IP address isn't protected information as EVERY server you connect to gets it. This ISN'T a security concern and the one provided to the server is the last exit point for your connection. Either your end point, a VPN, Tor, etc.
It's a simple enough change but even so, it's not a security issue.
Right, it's more of a common courtesy issue to not broadcast people's IP addresses over twitch streams.
I don't disagree with that. Other than troubleshooting, any reason it should be displayed?
I can't think of any reason off hand. I'd probably say that we can make it an advanced client setting (with false as default), those are pretty simple to add.
Thank you for opening this ticket, I ought to comment on the motivations.
@NickAragua is very much on the nose about the concern of protecting the privacy of a collaborator or a volunteer viewer. All of this is related to on screen visual information, as it is the only thing the general audience has visible. It is possible to avoid showing these values if certain precautions are taken, such as cropping/covering up the window in capture software, or cycling through the messages until the address is out of view, but in the event of sudden connections and disconnections (or simply forgetting), this can come up on the pop-up chat, which is difficult to crop without removing a massive portion of the game screen.
To @rjhancock 's point, the server address will very much be known to anyone connecting, and this is the responsibility of the streamer to either host offsite, protect through some kind of endpoint routing, or accept the risks of a known IP. Anyone connecting to the streamers server will also be exposed, but it is generally accepted that the host will not harvest IP's for nefarious purposes.
In regards to the server IP's being printed as messages during startup, while this is generally not very exposing information, if a server is hosted offsite, it may not be on a local network, with no NAT, depending on the setup. This could mean exposure of the IP on screen. While circumstances vary, some collaborative efforts involve a private hosting between people who agree to mutual privacy, so this may also put some unwanted information on screen. Even if you are on a private subnet (e.g. behind a router), the privacy-minded in me does have some concern, as some nefarious parties have been known to collect every bit of visible information, however small.
I primarily bring these matters up from the viewpoint of a streamer, and this certainly was not a concern until this recent development. Thank you for considering this issue.
OpSec is as much security as anything else, and its just good security to keep internal addresses secret. Let's say an NLB or firewall fronts MM to keep the servers from being directly addressed, this would be good OpSec given the Java wire protocol.
I'll take this and provide two changes:
@spacer-haywire the fix for this will definitely be in 0.49+, and may be backported to the 0.48.X line.
I believe I found all the places where we publicly log the IP, but if you find any others please re-open this issue.
@sixlettervariables Thank you for this enhancement! I will make sure to test out the scenarios where this was a concern, and will report back if any more are found.
From Reddit:
This may be a bit of an odd question, but has there been any means of preventing Megamek from dumping the IP info of the server and client in the chat box upon start and upon user connection?I have looked through client settings, but found nothing like this.My motivation for this question is one related to privacy during public streams, the Megamek window can technically be cropped in capture software to hide the lower bar/chat, but this also removes the buttons from view (an important learning aspect for viewers), and does nothing in relation to the pop-up chat box that is active on the game screen.(Sidenote: I am aware that most of the IP dump server-side is generally local network data, but this is still something that is private. If someone joins in from an external IP, their IP is shown in chat, which is a concern.) I am ready to look at source code and file a ticket on the Megamek Github regarding this, but I wanted to ask before in case there have been any workarounds related to this.
My current methodology to protect the IP of someone connecting from an external address is to use netcat (or a similar program) to listen on one port, and forward any connections to the Megamek server's actual port, which makes it appear as if a local client joined. However, this still does nothing to protect the server's own IP, as it is dumped upon startup.
Environment
What version of MegaMek does your issue apply to? 0.48.0