This thread is for the purpose of compiling an FAQ on real-world Security and Privacy information relating to the Minecraft client and server.
This is not a thread about griefing. It was prompted by two events - the first is the introduction of distributed data collection from the Minecraft Server and client. The second was a posting that turned up with Minecraft account details on Tumblr.
Contribute as you are able.
TODO: Add threat and risk assessments.
As of Snapshot 12w19a, Minecraft ships with and uses the Bouncy Castle cryptography provider, complete with X509 certificate usage.
Passwords and Password Strength
Where is the password saved when I select 'Remember Password'? How secure is it?
Remember Password discussion on Reddit: http://www.reddit.co...bad_encryption/
Changing passwords regularly:
(TBD - How)
Characteristics of Good passwords:
- Difficult to guess
- A mix of characters and letters
- Don't tell your friends
- Read this: http://xkcd.com/936/
- Same as username
- "minecraft" / "Minecraft" / "Minecraft1"
- Too short
- Read this: http://xkcd.com/792/
How do I verify my client is the one Mojang built?
(TBD - MD5 usage)
How can I tell if someone is stealing my login?
Google your minecraft user name and see where your information is being circulated.
How secure is the client / server communication?
The login request and subsequent exchange of serialised data uses HTTPS, however the username is cleartext.
How secure is chat?
The messages exchanged between client and server are sent over an encrypted channel as they are issued at runtime.
All text the player types, including those using the '/say' command, are logged to the server.log in the Minecraft Server directory and are in clear text.
How does the server verify my user account is premium?
Through a post to http://session.minec...jsp?user=<login name>
Reddit thread: http://www.reddit.co..._data_and_made/
What is Snooping?
The Minecraft Server process sends a packet of usage data to the server snoop.minecraft.net regularly when the server is running. The protocal used is HTTP.
Does it still snoop when the server is in offline mode?
Can I choose what information to send?
Can I opt out with an in-game option or profile setting?
Yes, from v1.3.2. Prior to this, the only available option was to add a dummy hosts entry.
What is collected?
By version, as follows:
What information is available in the 'jvm_args'?
From v1.3.2 the explicitly collected information can be viewed in the "snooper settings" option on the client. The server has no equivalent but runs the same classes and methods so the keys and values can be inferred.
Before v1.3.2, potentially the profile (i.e. local login) name of the user logged into the operating system will be available to Mojang, and anyone able to intercept the traffic. This is because the path to the working directory is available. Here is an example from my Windows XP machine with the account name and session ID (?) masked:
jvm_args: -Xms128m -Xmx1024m -Dsun.java2d.noddraw=true -Dsun.java2d.d3d=false -Dsun.java2d.opengl=false -Dsun.java2d.pmoffscreen=false -Djava.library.path=bin/natives java_command: magic.launcher.Launcher -lcp=C:\Documents and Settings\(REMOVED)\My Documents\Downloads\OPTIFINE\OptiFine_1.2.5_HD_MT_B2.zip;C:\Documents and Settings\(REMOVED)\Application Data\.minecraft\bin\minecraft.jar;bin/jinput.jar;bin/lwjgl.jar;bin/lwjgl_util.jar -windowMaximized (MINECRAFT ACCOUNT) (MINECRAFT SESSION ID)
Note also that the Minecraft account name is posted, as is either a session ID or a hashed password (NEEDS REVIEW AND CONFIRMATION)
What else is available to Mojang, or people using network probes?
How do I disable snooping?
A disable option was suggested when snooping was first proposed. It did not exist until v1.3 and can now be found under "snooper settings" on the client. It defaults to "on", guaranteeing one data packet for new installations unless other measures are taken.
Instead, edit your hosts file and add an entry that redirects snoop.minecraft.net to 127.0.0.1. This prevents the Minecraft Server connecting to the central data collector.
If you have any difficulty with this process, go phone the person in your family who knows about computers and ask for help. Tell them the Internet told you to call:
1. Go to the command prompt
Check: if you cannot do this, do not go any further
2. type cd \windows\system32\drivers\etc
Check: You should now be in directory C:\WINDOWS\system32\drivers\etc>
3. Type dir
Check: you should see a file called hosts
4. Type copy hosts hosts.bak
Check: type dir and make sure there is a file called hosts.bak and it has todays date and a recent timestamp
Do not go further if you cannot confirm all the 'checks' above
5. Type edit hosts
Check: the editor will start
6. Add this line: 127.0.0.1 snoop.minecraft.net
7. Save the file and exit the program. This returns to the command prompt.
Check: if you cannot work out how to save the file, stop and ask for help.
8. Type ping snoop.minecraft.net
Check: You should see output similar to below, and you are done. Start Minecraft Server again to have it take effect. The Java process spawning the server needs to be stopped because some JVM's cache DNS lookups indefinitely for performance reasons - so if you use a funky launcher you may need to restart the launcher instead.
C:\WINDOWS\system32\drivers\etc>ping snoop.minecraft.net Pinging snoop.minecraft.net [127.0.0.1] with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1:[/b] Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Good Online Behaviours
Read this: http://www.cybersmar...cybersmart.aspx
"Tell your Mum or Dad if you see something online that upsets you, or if someone makes you feel unhappy. You can also talk to a trusted adult like a teacher: they can help.
Hide your password. Only ever share it with your parents – never with your friends. Someone else could go online pretending to be you and do something that could get you into trouble.
Interesting websites can be fun. Check with Mum or Dad if a site is okay to use before you visit. Sometimes they can set up a good list of sites just for you.
Name calling or being mean is not cool and could be cyberbullying. Be nice when talking to online or over the phone. Look out for yourself and for others..
Keep your special personal information safe. Never give your real name, address or phone number to anyone you don’t know in the real world. Use a nickname in chat rooms or when you play games on the computer."
What is not safe information to share in server chat?
Never share your real name, address, and phone number. Also never share information about your friends and family. You may know the person you are talking with on a multiplayer server, but you do not know what level of logging is on the server, and you cannot predict where any server logs might end up.
More tips at http://www.cybersmart.gov.au/
(TBD: RCON / query)
(TBD: Log files and contents)
(TBD: Player data)
File transfers through automatic Texture Pack downloading: http://www.reddit.co...over_minecraft/
Links to tools
- TCPMON ( http://code.google.com/p/tcpmon/ ) can be used to look at the traffic between Server, Client, and snoop.minecraft.net.
A shout out to Quazimortal who drew out some of the areas for attention in this FAQ.
Edited by abrightmoore, 20 January 2013 - 08:39 PM.