

Ask HN: Can we design secure games using HTML5? - digamber_kamat

Everyone seems to be preferring HTML5 over Flash. It is a good idea for most of the things. But then what about the games? If the source code is loaded in the browser we could easily manipulate it and change the gaming experience.<p>I am the highest scorer on many HTML5 games without even playing the game.<p>How can we add security to HTML5 games so that no one can actually manipulate the gameplay ?
======
ricardobeat
I've been through this questioning a few years ago. The conclusions:

1\. generate a one-off .js file with a salted hashing function. keep the salt
variable in a "private" scope, remove the script from the DOM as soon as it
loads or use XHR

2\. keep track of game progress and player history, validate scores

3\. obfuscate scoring beyond the hashing (false messages, symbols, etc)

4\. don't calculate scores on the client, send player positions or something
else instead (not possible for most games)

You can go around all of this though. It seems impossible to prevent
manipulation completely, you can only raise the effort necessary to accomplish
it. In consoles this is solved by closed platforms - PC games are still victim
to cheating.

For that project, we ended up doing nothing and manually deleting suspicious
scores from the database. Worked fine :)

~~~
ricardobeat
This sounds interesting too:
[http://www.cryptovirology.com/cryptovfiles/newbook/Chapter6....](http://www.cryptovirology.com/cryptovfiles/newbook/Chapter6.pdf)

------
ftwinnovations
I'm right there with you in looking for solutions. As owner and lead developer
for nitrotype.com (competitive real time online typing) and funtotype.com
(soon there will be a real time scoreboard for competing).

At the moment we do all development in flash, not only because it allows for
old IE support, but because I am able to salt+hash the scores sent to the
server to verify the data but this is all done in flash.

In JS I'm stymied. Every scheme I can come up with I could easily defeat. No
level of obfuscation is really that difficult to reverse. Hopefully somebody
else has better input!

~~~
ricardobeat
There are plenty of tools allowing manipulation of Flash too, pausing
execution, changing variable values, intercepting network requests...

------
Joakal
Sounds like a good attempt to using homomorphic encryption?

