Security Qestions & Concerns

[tankenka]

So, question...

WHY does this program require -unrestricted- access to my files, folders, computer (microphone, web-cam, etc)... no way in hell would any sane person who values their privacy even in the smallest amount (or the security of their system, for that matter) install this...

So~ yah, why does this program need that kind of access? This could easily run server-side with only a small plugin that doesn't require that kind of access...

1 - "This application will run with unrestricted access to your personal files and other facilities (webcam, microphone) on your computer."
2 - "The publisher name is unverified and therefore listed as UNKNOWN. Run this application only if you trust the source (web site) the application is from."
3 - "The digital signature was generated with an untrusted certificate."
4 - "Although the application has a digital signature, the application's associated file (JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it as not been altered."

Not only that ~ but this program runs with the SHA-1 algorithm which is the -least- secure of the SHA security-encryption protocols.

1 - Uh, no.
2 - This isn't too bad ~ considering the activity of the forums.
3 - This is worrisome.
4 - Why do the associated files not have certificates?

And why are you using an outdated and proven to be hackable and flawed security-encryption algorithm?

[Procne]

Every game you start runs with unrestricted access to your files. Why is this one game causing problems to you? Or you don't play any other games?

edit: And where did you read that it uses SHA-1 algorithm?

[MagicManICT]

Help! is not really an appropriate place for this set of questions. Help is a section for new player questions, but not really sure where to move it to, so I'll move to Bugs & Technicalities for now. An overall summary of security decisions might be appropriate for a FAQ, but I think you're looking for more information than this.

[almo]

I have the same concerns. This Java app wants access, but its security certificate is self-signed and not trusted.

[Procne]

I will repeat - every game you run gets access to your files. And they don't even ask for it, whether it's MMO or not. They need it to save game progress or to update themselves.

In case of this game Java provides additional warning, as the game itself is downloaded from internet. I don't think it's any less secure than all the apps you download from internet and then run on your PC.

So, do you not run apps from internet in general that you are worried by this? Or do you run only the ones downloaded from secured sites (like https) and verify their certificates and MD5s?

[dreamerboy6]

Yeahhh... I too am concerned about all 4 of the issues raised by the OP. Why have the concerns not been properly addressed? Even if "all games have unrestricted access", combined with the other 3 issues I'm concerned enough to wait until official answers have been posted. I can just as easily play console games until then, without potentially compromising my PC's security.

[MagicManICT]

In my opinion, the issues the OP expresses really can't be easily addressed here. To properly address them will take quite the write up on network security, the decisions on why the various decisions were made in developing certain "guarantees" on using the internet, etc. Anything else is just glossing over the matter, and for that, there's a ton of information out there on Java security already.

I think I expressed this earlier, the issue with the security algorithms used are completely dependent upon what is being "secured" by said algorithms. I'm sure if anyone is decent at reading code they could find the client source and figure it out if they're truly interested.

[dreamerboy6]

According to my programmer friend, issues 3 and 4 seem relatively easy to remedy. Is no effort going to be made to use trusted certificates and make sure the JNLP file has a digital signature? Even after having enjoyed previous Paradox Interactive games, I find it disconcerting to get security warnings like these, stating that the digital signature was generated with an untrusted certificate, and implying that without a digital signature on the JNLP file one cannot be certain the file has not been altered.

[Kandarim]

According to my programmer friend, issues 3 and 4 seem relatively easy to remedy. Is no effort going to be made to use trusted certificates and make sure the JNLP file has a digital signature? Even after having enjoyed previous Paradox Interactive games, I find it disconcerting to get security warnings like these, stating that the digital signature was generated with an untrusted certificate, and implying that without a digital signature on the JNLP file one cannot be certain the file has not been altered.

i have already made a post explaining digital signatures and their implications/costs etc ... let me see if I can find it again.

edit: it was less bodily than I remember.
Bottomline is, why would a company pay for a trusted certificate? I never got this. In any case, if you're using Ender's client, an official certificate is (understandably) completely out of the question.

So, going through your list:

1) Every game requires this. This one is just friendly enough to ask in advance.
2-3) amount to the same certificate problem, see above
4) agreed, there is no reason not to protect the JNLP. But then again, that should be alright, since the java code asks permission seperately

[Procne]

I think the point is - OP doesn't want the game to be "safer" because he doesn't really understand the warning Java gave him, nor did he care enough to research it. He only wants the warning to be gone. Then he will be happy. But then this is a wrong place for complaints like this. It should be taken to Oracle / Java forums.