[Home] [Groups] - Message: [Prev in Group] [Next in Group]
8321: [MUD-Dev] Re: Trusting the Client (Re: Laws of Online World Design)
[Full Header] [Plain Text]
From: Ola Fosheim Grøstad <olag@ifi.uio.no>
Newsgroups: nu.kanga.list.mud-dev
Date: Tue, 13 Oct 1998 10:54:59 +0100
References: [1]
Organization: Kanga.Nu
mark@erdos.Stanford.EDU wrote:
> I'd like to share a few ideas about this "law":
> Never trust the client.
> Never put anything on the client. The client is in the hands of the
> enemy. Never ever ever forget this.
>
> While I agree the sentiment is a good one, I believe there is more leeway
> here than one might think. A more restricted law might be: "Never put
> anything you desire to be secret on the client."
[example snipped]
I (and others for sure) have arrived at your conclusion as well. Although
I'm no big fan of laws, I've arrived at something like this:
1. Never let a single client make the final decision about state which have
a global effect (exceptions exists, I'm sure you can think of some).
2. You may not be able to restrict clever users from any information which
the client code is capable of decoding. (you may be able to prevent the user
from using the information)
3. You may not be able to prevent clever users from executing the protocol
directly.
4. Then you have to add a lot about authentication, but there are several
schemes available so...
--
Ola