Protected Module Service Alpha Testers


#21

I appreciate your willingness to help the community out with things like this. I for one was very dissapointed to find out they were removing modules, because I had created a complex module system to deal with blacklisting and other things, and only 5 days later did they make that announcement haha. However, I believe it was the right call as the backdoor module problem has really grown quickly and almost every front page plugin was a backdoor. Additionally, I think it is crazy to be able to modify a module and have it replicate to every game without the game owner even knowing. I may try this service out to see how it is, but currently I just rely on obfuscation or people being good samaritans and not leaking my code. I’ll let you know in the future if I am interested!


#22

The web server immediately creates a new thread for every https connection. When requests are for a protected module, that module runs in a new process. The debian linux OS handles scheduling them and swapping them out when needed. If server resources become too strained, a new instance can be spun up with an ECS application load balancer to sort based on the HTTP URI.

An interesting point. If I ever do decide that I’d like to move on, I’d be sure to hire someone capable. I don’t see myself moving on though because it is voluntary work with compensation. :slight_smile:

If it becomes a problem, I’ll look into it some more. It is on the login page mainly to prevent people from running password scans. For registration, you will be required to post a link on your Roblox profile. That means that at the minimum, my services bot prevention is as strong as Roblox’s.

Thank you. :wink:

Yes. The public key algorithm was RSA as well. That is the 256 bit AES with ECDHE and RSA is the only OpenSSL option my server has enabled.

Yeah. I remember when Blizzard entertainment had their breach and user information was leaked. Luckily, they hashed everyone’s password.

I’ll have to think on this some more. An excellent thought.


#23

What I said about you having no commitments to actually deliver or continue might have come off wrong.

I meant like if you don’t want to continue delivering the service, you don’t really have to. It was just a heads up for other people, so they were aware.

I hope you do, though, because everything else (AFAIK) seems good enough.


#24

I have one more question, couldn’t we just make the module we upload on there be require(id) lol


#25

This is a replacement for closed source modules. Requiring a module from February 1st on will error if you don’t own it, meaning you can’t hide your source code. This is meant to give that functionality w/o allowing backdoors.


#26

I’d like game owners to use my loader for a reason. I could, however, make my loader a module that returns a function which acts like require and takes in a protected module id.

Here are the reasons a custom loader is desired:

  1. I can setup the connection to your protected module for you. This includes starting another instance of your protected module and setting up the RemoteFunction like object to be passed into your public module code. It also provides a good time to setup the event to remove this additional instance when the server shuts down. This connection setup procedure may change over time, so it is best if I control it and hide it from users.
  2. This also allows me to add additional game-specific protections if the game owners desire it. This may include sandboxing your public module to impose restrictions like maximum run time per game step, or restricting access to instances and library functions.
  3. Adding an additional layer allows me to add or remove features as I see fit and the service grows. It has been well said: “All problems in computer science can be solved by another level of indirection”

I could see using a protected module being as easy as this:

local protRequire = require(1234567) -- my public loader (not a real id rn)
local protModule = protRequire(4125) -- your protected module id
-- use protModule like a regular module

#27

Alpha testers can now register and log in. Passwords are hashed with Sha256 (Edit: PKCS5_PBKDF2_HMAC) before being saved in the database, along with a salt based on the hash of the username. In addition, I’ve made a discord channel or additional questions and announcements so that those without access to the dev forum may participate: https://discord.gg/78aB2tx


#28

Shouldn’t you use something like BCrypt, or something more secure than SHA256?

“bcrypt has a significant advantage over a simply salted SHA-256 hash: bcrypt uses a modified key setup algorithm which is timely quite expensive. This is called key strengthening, and makes a password more secure against brute force attacks, since the attacker now needs a lot more time to test each possible key.”


#29

Is information sent to the server and to the game server encrypted both ways? If not why?


#30

:thinking:
image

Seems like your site does not work?

EDIT: Would also tell you that you must choose certificate to connect with, and using a phone emulator and the menu is 2/10th of the screen.
Also insecure use of headers, I recommend you check out some guides for what headers you should use to make your site even more secure.


#31

I guess one concern I would have if I were you is - what happens if roblox provides an alternative to private modules, or an improved system in the near future?


#32

SHA256 is an industry standard. BCrypt is not included in then openSSL library and I would be very hesitant to leave industry standards. I’ll be switching to PKCS5_PBKDF2_HMAC as recommended above though.

Yes, it will be. I’ll begin working on that this week.

Haha, it is designed to fail early and often rather than let things slip by. I’ll be working on better error handling once the core features are in place. I’m assuming that after refreshing you were able to log in?

I’m not interested in supporting mobile device at this time: Roblox studio is desktop only, and so is my website.

I’m sorry? What do you mean. The server is sending its certificate out and RSA is being used.

I’m assuming you are discussing caching, sniffing, and like matters. The security is in place, the headers only politely ask attackers to stay away. I’ll look into it in the future after the core functionality is present, but if you feel that it should be more of a priority, feel free to send me a message.

My intent isn’t to benefit from the community, but to provide a bridge and help out in a time of need. That being said: the sooner Roblox offers a replacement, the better. There is an argument to be made for commercialization of features though, much like businesses taking over where the government used to manage. For that to be a success though, even I must admit that competition is needed.


#33

Apologies, but I had to choose a certificate upon visiting your site for the first time.


#34

It is set to verify client certificates if they are supplied, perhaps your browser asked which one you wanted to supply? You shouldn’t need to add a certificate, if so then you may be victim to a man in the middle attack.


#35

as with the recaptcha thing, there are services that will solve funcaptchas and ways to get around them aswell.
i don’t see your point


closed #36

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.