Ask HN: Can we design secure games using HTML5?
Everyone seems to be preferring HTML5 over Flash. It is a good idea for most of the things. But then what about the games? If the source code is loaded in the browser we could easily manipulate it and change the gaming experience.
I am the highest scorer on many HTML5 games without even playing the game.
How can we add security to HTML5 games so that no one can actually manipulate the gameplay ?
6 comments
[ 4.1 ms ] story [ 26.4 ms ] threadAt the moment we do all development in flash, not only because it allows for old IE support, but because I am able to salt+hash the scores sent to the server to verify the data but this is all done in flash.
In JS I'm stymied. Every scheme I can come up with I could easily defeat. No level of obfuscation is really that difficult to reverse. Hopefully somebody else has better input!
As far as a better solution, maybe using of dynamic script loading, maybe unique salt/session along with strong server side synchronization. Desktop games are faced with similar challenges, even if the path is much harder given the amount of reverse engineering required.
1. generate a one-off .js file with a salted hashing function. keep the salt variable in a "private" scope, remove the script from the DOM as soon as it loads or use XHR
2. keep track of game progress and player history, validate scores
3. obfuscate scoring beyond the hashing (false messages, symbols, etc)
4. don't calculate scores on the client, send player positions or something else instead (not possible for most games)
You can go around all of this though. It seems impossible to prevent manipulation completely, you can only raise the effort necessary to accomplish it. In consoles this is solved by closed platforms - PC games are still victim to cheating.
For that project, we ended up doing nothing and manually deleting suspicious scores from the database. Worked fine :)