Custom Cloud Servers

Basic88

[post removed]

Last edited by Basic88 (March 14, 2021 05:00:21)

Chiroyce

EDIT: The server owner can log your IP addresses as the request is coming directly from you!
BIG no support. Thanks to fdreerf for making me realize this!

Your PC –> wss –> their server (logs IP) –> data goes through –> back to you.

Last edited by Chiroyce (March 14, 2021 06:28:00)

fdreerf

Not everyone knows the basics of data security and I feel like this would be vulnerable to plenty of attacks to have these projects stop working, which is some ultra-form of griefing. That, and not many people have spare machines lying around that are good enough to be a dedicated server, and are smart enough to figure this out.

Last edited by fdreerf (March 14, 2021 06:07:54)

Chiroyce

 [removed]

Last edited by Chiroyce (March 14, 2021 06:23:46)

fdreerf

Chiroyce wrote:
So why can't this be an extension?

You can't use decade old exploits to make projects with 2D lists stop working, and this is infinitely more complex. How many people on Scratch can tell you what an IP address even is?

Chiroyce

fdreerf wrote:
Chiroyce wrote:
So why can't this be an extension?
You can't use decade old exploits to make projects with 2D lists stop working, and this is infinitely more complex. How many people on Scratch can tell you what an IP address even is?

Chiroyce wrote:
EDIT: They can log your IP addresses as the request is coming directly from you!

BIG no support. Thanks to fdreerf for making me realize this!

TopCode

Chiroyce wrote:
EDIT: The server owner can log your IP addresses as the request is coming directly from you!
BIG no support. Thanks to fdreerf for making me realize this!
Your PC –> wss –> their server (logs IP) –> data goes through –> back to you.

man, wait until you hear about the internet and online video games

Chiroyce

TopCode wrote:
man, wait until you hear about the internet and online video games

bruh, that goes to a proper company! here the server owner is a regular human being without a privacy policy!

Google, Scratch and other companies and organizations have a “Privacy Policy”, which in this case the server owner doesn't provide, which means they can do anything with the data that is sent to them.

Last edited by Chiroyce (March 14, 2021 14:37:06)

TopCode

Chiroyce wrote:
TopCode wrote:
man, wait until you hear about the internet and online video games
bruh, that goes to a proper company!

does it always? The internet isnt exclusively large companies, and even on video games with closed servers that are only supposed to go through them(which is fairly rare) there are ways to connect to custom/private servers.

This may come as a surprise to you, but many online games have local server hosting abilities, and i dont just mean the “host” rank where you can kick people and stuff.

As for “no privacy policy” scratch can just give them one and say you have to follow this, same as they give you the ToU and say you have to follow this.

Last edited by TopCode (March 14, 2021 14:40:25)

Chiroyce

TopCode wrote:
As for “no privacy policy” scratch can just give them one and say you have to follow this, same as they give you the ToU and say you have to follow this.

Bruh, what can the ST do if a server host doesn't follow it? They can't tell any authorities as they don't have much contact details, unlike a company or organization where employers are paid, and if they break rules, they will have the persons address to find them.

Any game published on the Microsoft/Chrome/Google Play or Apple App store requires a privacy policy to be published.
Any website will require a certified company to give them a “valid certificate” saying that the have a privacy policy and will follow rules, otherwise the website will be flagged as “Not Secure” and most people will not visit it.

Scratch has a valid certificate issued by “Sectigo Limited” as seen here from a screenshot I've taken from Firefox's Page Info

So, the Scratch domain will not be flagged as “Not Secure” so people will visit it.
But when a custom server is used; i.e, the project will be sending User Info to a remote IP address which belongs to the server host - and that server host isn't verified. This is where a problem arises.

TopCode

Chiroyce wrote:
But when a custom server is used; i.e, the project will be sending User Info to a remote IP address which belongs to the server host - and that server host isn't verified. This is where a problem arises.

a) the only user info would be an ip, which you cant really do much with it if the person has a firewall(which basically everyone does) and b) as i said, its not like its any outlandish idea thats never been done before or always ends up failing.

Chiroyce

TopCode wrote:
a) the only user info would be an ip, which you cant really do much with it if the person has a firewall(which basically everyone does) and b) as i said, its not like its any outlandish idea thats never been done before or always ends up failing.

I found another problem -

When you send data to the Scratch cloud server, the server has to verify it's you and you're a scratcher, so when you ask for a Cloud Variable you automatically send your “sessionID” along with it so Scratch knows it's you.
If this occurs with the custom server, then if the server host gets your sessionID, they can access ANYTHING in your Scratch account as they now have your valid sessionID!

So how would user verification take place with this issue?

TopCode

Chiroyce wrote:
TopCode wrote:
a) the only user info would be an ip, which you cant really do much with it if the person has a firewall(which basically everyone does) and b) as i said, its not like its any outlandish idea thats never been done before or always ends up failing.

I found another problem -
When you send data to the Scratch cloud server, the server has to verify it's you and you're a scratcher, so when you ask for a Cloud Variable you automatically send your “sessionID” along with it so Scratch knows it's you.

If this occurs with the custom server, then if the server host gets your sessionID, they can access ANYTHING in your Scratch account as they now have your valid sessionID!

So how would user verification take place with this issue?

The server would never get your sessionid, scratch would verify that you are you. This is how its done for games like Minecraft. As stated its not like this is some outlandish idea thats never been done before or always ends up failing.

Chiroyce

TopCode wrote:
The server would never get your sessionid, scratch would verify that you are you.

How would that work? We aren't sending any data to Scratch in the first place!

Regarding the underlined parts of the quote: It also has to verify if we're a Scratcher and not a "New Scratcher".

TopCode

Chiroyce wrote:
TopCode wrote:
The server would never get your sessionid, scratch would verify that you are you.
How would that work? We aren't sending any data to Scratch in the first place!

no idea where you got that idea, but that's not how it would work. You would still need to send data to scratch if you made a comment, hearted or favorited, went to another web page, remember, this would only be for cloud variables, not the entire website

Last edited by TopCode (March 14, 2021 15:25:08)

Chiroyce

TopCode wrote:
You would still need to send data to scratch if you made a comment, hearted or favorited, went to another web page, remember, this would only be for cloud variables, not the entire website

The main point of this suggestion is to send data only to the Custom Server and not Scratch.

TopCode

Chiroyce wrote:
TopCode wrote:
You would still need to send data to scratch if you made a comment, hearted or favorited, went to another web page, remember, this would only be for cloud variables, not the entire website
The main point of this suggestion is to send data only to the Custom Server and not Scratch.

no its not, its clearly about “cloud variables” not all data. If you are misunderstanding it and think that its about making 100% of scratch p2p then thats probably why you are so concerned about security issues.

Last edited by TopCode (March 14, 2021 15:59:24)

reallysoftuser

Why was my post closed for being a duplicate of this? I've explained clearly why it isn't one.

TopCode

reallysoftuser wrote:
Why was my post closed for being a duplicate of this? I've explained clearly why it isn't one.

the only difference is that yours would allow for usage of multiple servers

reallysoftuser

TopCode wrote:
reallysoftuser wrote:
Why was my post closed for being a duplicate of this? I've explained clearly why it isn't one.
the only difference is that yours would allow for usage of multiple servers

So it is a different suggestion. It should be reopened.

Discuss Scratch