Closed billw2012 closed 1 year ago
Briancoughlin
commented
2 years ago @billw2012 I get your point, but we have to explain that these type of communication is vulnerable to a man in the middle type attack. I will poke the team and see if we can find a better example of what data should/could be sent via connectionData
Briancoughlin
commented
2 years ago @LukeStampfli can we come up with a better example of what data could be sent that won't fall foul of the warning note ?
billw2012
commented
2 years ago FYI this PR didn't address this issue at all, it still has the exact same example of how it could be used for steam authentication ticket, followed almost directly by saying to NOT use it for that.
s-omeilia-unity
commented
2 years ago @billw2012 Let me circle back with the dev who worked on this issue and remedy this.
s-omeilia-unity
commented
1 year ago Language updated for connection approval warning added at top of doc as well as in the Security section.
Warning: Netcode for GameObjects (NGO) does not encrypt or authenticate any of the raw information sent over connection approval. To prevent man-in-the-middle attacks, you should AVOID sending authentication tokens (such as Steam tickets or user passwords) over connection approval without additional safety precautions.
The examples in this article are to illustrate how NGO does not protect any connection data, and does not show how to incorporate encryption, authentication, or some other method of data security.
This will be part of the live documentation with the publish of this PR: https://github.com/Unity-Technologies/com.unity.multiplayer.docs/pull/1059
The examples for connectionData include passwords and steam tickets, and the Important note at the bottom strongly suggests NOT sending passwords and steam tickets. What is the point of this if not for sending such data?!