Jump to content

  • Curse Sites
Become a Premium Member! Help
Latest News Article

Minecraft Server Security and Privacy FAQ

security privacy faq

  • Please log in to reply
5 replies to this topic

#1

abrightmoore

Posted 05 May 2012 - 03:30 AM

Security and Privacy FAQ

This thread is for the purpose of compiling an FAQ on real-world Security and Privacy information relating to the Minecraft client and server.

This is not a thread about griefing. It was prompted by two events - the first is the introduction of distributed data collection from the Minecraft Server and client. The second was a posting that turned up with Minecraft account details on Tumblr.

Contribute as you are able.

TODO: Add threat and risk assessments.

Cryptography

As of Snapshot 12w19a, Minecraft ships with and uses the Bouncy Castle cryptography provider, complete with X509 certificate usage.

Passwords and Password Strength

Where is the password saved when I select 'Remember Password'? How secure is it?
(TBD)
Remember Password discussion on Reddit: http://www.reddit.co...bad_encryption/

Changing passwords regularly:
(TBD - How)

Characteristics of Good passwords:
  • Difficult to guess
  • A mix of characters and letters
  • Don't tell your friends
  • Read this: http://xkcd.com/936/
Characteristics of Bad passwords: Clients
How do I verify my client is the one Mojang built?
(TBD - MD5 usage)

How can I tell if someone is stealing my login?
Google your minecraft user name and see where your information is being circulated.

How secure is the client / server communication?
The login request and subsequent exchange of serialised data uses HTTPS, however the username is cleartext.

How secure is chat?
The messages exchanged between client and server are sent over an encrypted channel as they are issued at runtime.

All text the player types, including those using the '/say' command, are logged to the server.log in the Minecraft Server directory and are in clear text.

How does the server verify my user account is premium?

Through a post to http://session.minec...jsp?user=<login name>


Server Snooping

Reddit thread: http://www.reddit.co..._data_and_made/

What is Snooping?
The Minecraft Server process sends a packet of usage data to the server snoop.minecraft.net regularly when the server is running. The protocal used is HTTP.


Does it still snoop when the server is in offline mode?
Yes.

Can I choose what information to send?
No.

Can I opt out with an in-game option or profile setting?
Yes, from v1.3.2. Prior to this, the only available option was to add a dummy hosts entry.

What is collected?
By version, as follows:
Spoiler:

What information is available in the 'jvm_args'?

From v1.3.2 the explicitly collected information can be viewed in the "snooper settings" option on the client. The server has no equivalent but runs the same classes and methods so the keys and values can be inferred.

Before v1.3.2, potentially the profile (i.e. local login) name of the user logged into the operating system will be available to Mojang, and anyone able to intercept the traffic. This is because the path to the working directory is available. Here is an example from my Windows XP machine with the account name and session ID (?) masked:


jvm_args: -Xms128m -Xmx1024m -Dsun.java2d.noddraw=true -Dsun.java2d.d3d=false -Dsun.java2d.opengl=false -Dsun.java2d.pmoffscreen=false -Djava.library.path=bin/natives
java_command: magic.launcher.Launcher -lcp=C:\Documents and Settings\(REMOVED)\My Documents\Downloads\OPTIFINE\OptiFine_1.2.5_HD_MT_B2.zip;C:\Documents and Settings\(REMOVED)\Application Data\.minecraft\bin\minecraft.jar;bin/jinput.jar;bin/lwjgl.jar;bin/lwjgl_util.jar -windowMaximized (MINECRAFT ACCOUNT) (MINECRAFT SESSION ID)

Note also that the Minecraft account name is posted, as is either a session ID or a hashed password (NEEDS REVIEW AND CONFIRMATION)

What else is available to Mojang, or people using network probes?
http://www.minecraft...0#entry14729576

How do I disable snooping?
A disable option was suggested when snooping was first proposed. It did not exist until v1.3 and can now be found under "snooper settings" on the client. It defaults to "on", guaranteeing one data packet for new installations unless other measures are taken.

Instead, edit your hosts file and add an entry that redirects snoop.minecraft.net to 127.0.0.1. This prevents the Minecraft Server connecting to the central data collector.

On Windows

If you have any difficulty with this process, go phone the person in your family who knows about computers and ask for help. Tell them the Internet told you to call:

1. Go to the command prompt
Check: if you cannot do this, do not go any further
2. type cd \windows\system32\drivers\etc
Check: You should now be in directory C:\WINDOWS\system32\drivers\etc>
3. Type dir
Check: you should see a file called hosts
4. Type copy hosts hosts.bak
Check: type dir and make sure there is a file called hosts.bak and it has todays date and a recent timestamp
Do not go further if you cannot confirm all the 'checks' above
5. Type edit hosts
Check: the editor will start
6. Add this line: 127.0.0.1 snoop.minecraft.net
7. Save the file and exit the program. This returns to the command prompt.
Check: if you cannot work out how to save the file, stop and ask for help.
8. Type ping snoop.minecraft.net
Check: You should see output similar to below, and you are done. Start Minecraft Server again to have it take effect. The Java process spawning the server needs to be stopped because some JVM's cache DNS lookups indefinitely for performance reasons - so if you use a funky launcher you may need to restart the launcher instead.

C:\WINDOWS\system32\drivers\etc>ping snoop.minecraft.net

Pinging snoop.minecraft.net [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:[/b]
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


Good Online Behaviours
Read this: http://www.cybersmar...cybersmart.aspx

"Tell your Mum or Dad if you see something online that upsets you, or if someone makes you feel unhappy. You can also talk to a trusted adult like a teacher: they can help.

Hide your password. Only ever share it with your parents – never with your friends. Someone else could go online pretending to be you and do something that could get you into trouble.

Interesting websites can be fun. Check with Mum or Dad if a site is okay to use before you visit. Sometimes they can set up a good list of sites just for you.

Name calling or being mean is not cool and could be cyberbullying. Be nice when talking to online or over the phone. Look out for yourself and for others..

Keep your special personal information safe. Never give your real name, address or phone number to anyone you don’t know in the real world. Use a nickname in chat rooms or when you play games on the computer."

What is not safe information to share in server chat?
Never share your real name, address, and phone number. Also never share information about your friends and family. You may know the person you are talking with on a multiplayer server, but you do not know what level of logging is on the server, and you cannot predict where any server logs might end up.

More tips at http://www.cybersmart.gov.au/

Server Features

(TBD: RCON / query)

(TBD: Log files and contents)

(TBD: Player data)

File transfers through automatic Texture Pack downloading: http://www.reddit.co...over_minecraft/

Links to tools
_________________________________________________________________
A shout out to Quazimortal who drew out some of the areas for attention in this FAQ.

Edited by abrightmoore, 20 January 2013 - 08:39 PM.


Register or log in to remove.

#2

abrightmoore

Posted 27 June 2012 - 08:28 PM

Chat filter on the client by Colcf:

View PostColcf, on 27 June 2012 - 04:50 PM, said:

Safechat


Ever join a server, especially PVP servers, and have people swearing all over the place? It can be a bad influence for children playing this normally family-friendly game. This mod will bleep out those words or delete the message entirely.


This is a client mod, so it doesn't matter if the server supports it or not. It comes with it's own configuration file so that you can change the swear word list or what happens when someone swears.


There are no dependencies. You don't need modloader.



http://www.minecraft...1-125-safechat/

#3

Divinius
    Divinius

    Obsidian Miner

  • Members
  • 1282 posts
  • Location: Rochester, NY, USA

Posted 27 June 2012 - 08:56 PM

Lots of interesting info here, good job compiling it.  Also, bonus points for including relevant XKCD comics.

Too bad this will all be way over the heads of 98% of the people reading it...

#4

abrightmoore

Posted 30 June 2012 - 09:14 AM

View PostDivinius, on 27 June 2012 - 08:56 PM, said:

Lots of interesting info here, good job compiling it.  Also, bonus points for including relevant XKCD comics.

Too bad this will all be way over the heads of 98% of the people reading it...

Thanks Divinus, though I am actually secretly hoping some of the more problematic things will be addressed by the Mojangs. My pick list is:

1. Snooping packets include JVM arguments, which on Windows can include the profile name in the classpath, which can be a real name, which is a concern if it reveals the identity of a kid. This is a bad idea for a number of reasons and only the required JVM info required should be delivered, not everything that is available as it is currently implemented in the snapshots. It's an unencrypted channel to Mojangs servers, and I presume not encrypted in storage on their servers.

2. the chat in the server logs is unencrypted and this has privacy implications.

I am heartened that a Bouncy Castle implementation is bundled now, and I expect improvements over time,

Until then I've locked out snoop.minecraft.net on the local PCs my family use for MInecraft.

#5

HeroCC
    HeroCC

    Zombie Killer

  • Members
  • 159 posts
  • Location: %cd%\herocc
  • Minecraft: HeroCC
  • Xbox:HeroCC

Posted 21 July 2013 - 03:48 PM

Nice. Thanks, I run a server, and is there a way to verify that they cannot hack the server or my home network?

Posted ImagePosted Image
Join HeroiCraft Minecraft server! Survival, Creative, SkyBlock, Games, Spleef, CTF, Hunger Games, and more!
Connect to: mc.heroicraft.net


#6

Alpha_ergo_Omega

Posted 28 November 2013 - 06:56 PM

Thank you for this, made the privacy aspect a lot more controllable. If I figure out how to give a thumbs up on this site, I will!