[MUD-Dev] Re: Trusting the Client (Re: Laws of Online World Design)

Tue Oct 13 19:19:22 CEST 1998

On Mon, Oct 12, 1998 at 11:33:44PM -0700, mark at erdos.Stanford.EDU wrote:
> I'd like to share a few ideas about this "law":
>   Never trust the client.
>    Never put anything on the client. The client is in the hands of the
>    enemy. Never ever ever forget this.
> 
> While I agree the sentiment is a good one, I believe there is more leeway
> here than one might think.  A more restricted law might be: "Never put
> anything you desire to be secret on the client."
> 
> Now, while the server has no control over what the client (or 
> pseudo-client) actually _does_, it certainly has control over what changes
> it allows the client to make on the server state.  I believe this can
> be taken advantage of in the following way.
> 
> Consider a simple scenario: Bubba enters a room containing a monster,
> Boffo.  Bubba attacks Boffo and slays him in one hit, takes his gold,
> and exits the room.
> 
> 1. When Bubba enters the room, the entire room state (including Boffo)
>    is downloaded to his client, along with a random number seed.
> 
> 2. The game procedes as "normal", but with all computation done on the client.
>    Every command Bubba enters is logged.
> 
> 3. When Bubba leaves the room, the room state (and Bubba's updated state)
>    is sent back to the server.  Since the game is deterministic (given
>    the random number seed and the "inputs"--- Bubba's commands), the
>    server can "audit" the new state by replaying the events and see if the 
>    original algorithm has been followed.
> 
> A more "trusting" version of this scheme might merely check certain
> invariants: no more total gold at the end of the client session than
> before, etc.

Given that I have all the information I need to compute the happenings until
I leave the room, I, the unscrupulous player, will patch my client so that
I can preview the outcome of the fight in accelerated time.  Therefore, I will
know the outcome immediately.  If there is some chain of commands that I can
enter to come to a winning outcome, I can simulate them ahead of time and find
the optimal solution and execute it.  If I know I must lose, I will leave
beforehand and the server will be none-the-wiser.

Just one possible abuse when you allow the server to have all the information
it needs to do computations (especially computations based on input) on its
own.

You might think that this is a bit far-fetched...  Well, consider some of
the cheats people have written for quake that id Software didn't consider.
If your game gets popular and competitive enough, and people are giving away
Ferarri's to the winner...  who knows?  8')