Should a MMORPG use encryption? [closed]

Question

First of all, do those successful commercial MMORPGs use encryption for game data transmission?

I got an impression that many developers tend to not use encryption, because it can not prevent reverse engineering for cheating and making private server, but doesn't it effectively reduce the number of those?

Encryption also impacts performance, even just a little.

Good encryption does prevent network sniffering and man-in-the-middle, are these important for MMORPGs?

How about protecting chat messages for privacy concerns?

How do you think?

PS: I'm talking about game data, not user/password, auth info need to be encrypted for sure.

Answer 1

Encryption is a tool. Make sure the tool fits the problem.

Encryption is useful for essentially three things: 1) 3rd party can't view data, 2) both parties are who they say they are, 3) data hasn't be modified. None of those really apply here. Remember the client is on the user (attacker) machine. If they modify the client it will gladly sign & encrypt any message they want.

The second thing to consider is the fact that the client has the keys and thus you should assume the attacker also has the keys. Even if you use asymmetric encryption the client has the key to decrypt anything it receives. If you send "private data" to the client an attack can find the key and decrypt it.

A good MMORPG (deisgned to make cheating difficult) should assume two things: a) user/attacker can see any data sent to client (so don't send things to client you don't want user to see) b) an attacker can send any possible command to the user (so don't rely on the client for security).

In most MMORPG the client is little more than a dumb terminal with impressive graphics. All computation, error checking, and validation occurs server side. The client doesn't determine is you hit or miss, nor does it determine how much damage. The client simply tells the server "I am attack with item 382903128." or some other action (not result). The server validates that the player has access to that option, has the item, and the command is valid at this time. To prevent sniffing attacks the client is only given data that the user would have access to anyways.