Ask HN: Can we design secure games using HTML5?

12 points by digamber_kamat ↗ HN
Everyone seems to be preferring HTML5 over Flash. It is a good idea for most of the things. But then what about the games? If the source code is loaded in the browser we could easily manipulate it and change the gaming experience.

I am the highest scorer on many HTML5 games without even playing the game.

How can we add security to HTML5 games so that no one can actually manipulate the gameplay ?

6 comments

[ 4.1 ms ] story [ 26.4 ms ] thread
I'm right there with you in looking for solutions. As owner and lead developer for nitrotype.com (competitive real time online typing) and funtotype.com (soon there will be a real time scoreboard for competing).

At the moment we do all development in flash, not only because it allows for old IE support, but because I am able to salt+hash the scores sent to the server to verify the data but this is all done in flash.

In JS I'm stymied. Every scheme I can come up with I could easily defeat. No level of obfuscation is really that difficult to reverse. Hopefully somebody else has better input!

There are plenty of tools allowing manipulation of Flash too, pausing execution, changing variable values, intercepting network requests...
In my experience Flash is not much more secure. Looking at your app for example, it seems the hash you are using is not a function of raceId or timestamp so there is potential for replay (e.g. reuse precomputed hashes). Also, is it possible that the salt starts with "209adk"? :)

As far as a better solution, maybe using of dynamic script loading, maybe unique salt/session along with strong server side synchronization. Desktop games are faced with similar challenges, even if the path is much harder given the amount of reverse engineering required.

I've been through this questioning a few years ago. The conclusions:

1. generate a one-off .js file with a salted hashing function. keep the salt variable in a "private" scope, remove the script from the DOM as soon as it loads or use XHR

2. keep track of game progress and player history, validate scores

3. obfuscate scoring beyond the hashing (false messages, symbols, etc)

4. don't calculate scores on the client, send player positions or something else instead (not possible for most games)

You can go around all of this though. It seems impossible to prevent manipulation completely, you can only raise the effort necessary to accomplish it. In consoles this is solved by closed platforms - PC games are still victim to cheating.

For that project, we ended up doing nothing and manually deleting suspicious scores from the database. Worked fine :)

Sounds like a good attempt to using homomorphic encryption?