Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow protocol encryption in offline mode #3749

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

rmheuer
Copy link

@rmheuer rmheuer commented Sep 21, 2024

Snapshot 24w03a for version 1.20.5 added support for protocol encryption for offline-mode servers. This adds support for encrypting player connections if the proxy is in offline mode and the client is new enough.

@andreasdc
Copy link

andreasdc commented Sep 21, 2024

You probably don't have a way to disable encrypting for online players, right? 😎 It eats the most resources from the server.

@rmheuer
Copy link
Author

rmheuer commented Sep 21, 2024

No, the authentication requires the encryption packets to be sent to exchange keys and shared secret. Authentication is started by the Encryption Request packet.

@md-5
Copy link
Member

md-5 commented Sep 29, 2024

Given there's no authentication, what benefit does this provide?

@rmheuer
Copy link
Author

rmheuer commented Sep 30, 2024

It makes it somewhat more difficult for a bad actor to read/modify your game packets because it would require a man-in-the-middle attack instead of reading outgoing network traffic. This was more of a test I used while figuring out how the client-side encryption works and I thought it might be useful to have as a feature in BungeeCord, but I understand if it's not something you think BungeeCord needs.

@Outfluencer
Copy link
Collaborator

Outfluencer commented Oct 29, 2024

Given there's no authentication, what benefit does this provide?

It makes the tablist have playerheads, could be cool for some offline mode servers to have these.

I did a similar pr to this before.

But i think api would be better than a config.
I would prefer to add a setEncrypting() method or something like that that can only be invoked before the encyption packet was sent and only for player with version >= 1.20.5

@Outfluencer
Copy link
Collaborator

maybe we should also support backend encryption, the backend could in theory have encryption enabled in offline mode. (Encryption packet does not mean online mode anymore, like in the current impl of the ServerConnector)
I see no reason for not supporting it.
I also see no reason for not support offline mode encryption for connecting users.
both are just features/abillitys that would improve bungeecord and its api (if we add api for it)

@md-5 whats your opinion?
if wanted i would like to add support for both sides offline mode encryption with api in a PR

@Janmm14
Copy link
Contributor

Janmm14 commented Dec 16, 2024

Encryption of the connection of bungee and spigot servers is a cpu burden without ANY benefit.

@Outfluencer
Copy link
Collaborator

i am aware of that, it should be the server administrators decision to enable it.
If performance is what you want, you should not enable it.
But if you don't care and want to have it enabled for any reason, why not giving the opportunity to the user of the software

@Janmm14
Copy link
Contributor

Janmm14 commented Dec 16, 2024

Adding options for the sake of options is just a (maintenance) burden.

As I already stated in the other topic about encryption, offline-mode encryption allows mitm attack vector.

So adding this option would at most give a false sense of confidentiality of the connection to bungeecord users when there is none guaranteed.

@Outfluencer
Copy link
Collaborator

offline-mode without encryption also allows mitm attack vector.
also the full functionality for enc and dec are already implemented in bungeecord
we would only need to add it to the pipe

also encrypted offline mode is in fact more confidential then no encryption

@Outfluencer
Copy link
Collaborator

Encryption of the connection of bungee and spigot servers is a cpu burden without ANY benefit.

also in fact there are benefits, the client do render the player head in tablist only with encryption enabled

@Janmm14
Copy link
Contributor

Janmm14 commented Dec 16, 2024

Encryption of the connection of bungee and spigot servers is a cpu burden without ANY benefit.

also in fact there are benefits, the client do render the player head in tablist only with encryption enabled

Thats for bungee - client, NOT for bungee - server

@Outfluencer
Copy link
Collaborator

thats right for bungee - server,
it is that we can connect to those servers (we spport a newly added networking feature)

@Outfluencer
Copy link
Collaborator

in my opinion supporting network features is never (maintenance) burden.
it should just be supported as its a feature of minecraft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants