This thread is for the purpose of compiling an FAQ on real-world Security and Privacy information relating to the Minecraft client and server.
This is not a thread about griefing. It was prompted by two events - the first is the introduction of distributed data collection from the Minecraft Server and client. The second was a posting that turned up with Minecraft account details on Tumblr.
Contribute as you are able.
TODO: Add threat and risk assessments.
Cryptography
As of Snapshot 12w19a, Minecraft ships with and uses the Bouncy Castle cryptography provider, complete with X509 certificate usage.
Passwords and Password Strength
Where is the password saved when I select 'Remember Password'? How secure is it?
(TBD)
Remember Password discussion on Reddit: http://www.reddit.co...bad_encryption/
Clients How do I verify my client is the one Mojang built?
(TBD - MD5 usage)
How can I tell if someone is stealing my login?
Google your minecraft user name and see where your information is being circulated.
How secure is the client / server communication?
The login request and subsequent exchange of serialised data uses HTTPS, however the username is cleartext.
How secure is chat?
The messages exchanged between client and server are sent over an encrypted channel as they are issued at runtime.
All text the player types, including those using the '/say' command, are logged to the server.log in the Minecraft Server directory and are in clear text.
How does the server verify my user account is premium?
What is Snooping?
The Minecraft Server process sends a packet of usage data to the server snoop.minecraft.net regularly when the server is running. The protocal used is HTTP.
Does it still snoop when the server is in offline mode?
Yes.
Can I choose what information to send?
No.
Can I opt out with an in-game option or profile setting?
Yes, from v1.3.2. Prior to this, the only available option was to add a dummy hosts entry.
What is collected?
By version, as follows:
v1.2.5:
version
os_name <- reported from Java process
os_version <- reported from Java process
os_architecture <- reported from Java process
memory_total <- reported from Java process
memory_max <- reported from Java process
memory_free <- reported from Java process
java_version <- reported from Java process
cpu_cores <- reported from Java process
players_current <- reported from Minecraft server
players_max <- reported from Minecraft server
players_seen <- reported from Minecraft server. Dunno the math behind it yet.
uses_auth <- reported from Minecraft server: online / offline configured
server_brand <- from the Minecraft server code: "Vanilla", etc.
Snapshot 12w17a:
Here is a sample http post to snoop.minecraft.net:
snoopertoken <- a universally unique ID. (TBD - check any system info, like IP, used to generate?) (NEW)
os_name <- from Java property os.name
os_version <- from Java property os.version
os_arch <- from Java property os.arch
java_version <- from Java property java.version
version <- set to "12w18a"
jvm_args <- all the parameters passed to the Java process (NEW)
memory_total <- from JVM
memory_max <- from JVM
memory_free <- from JVM
cpu_cores <- from JVM
players_current <- from Minecraft Server process
players_max <- from Minecraft Server process
players_seen <- from Minecraft Server process
uses_auth <- from Minecraft Server process
whitelist_enabled <- from Minecraft Server process
whietlist_count <- from Minecraft Server process
gui_state <- from Minecraft Server process
avg_sent_packet_count <- from Minecraft Server process
avg_sent_packet_size <- from Minecraft Server process
avg_rec_packet_count <- from Minecraft Server process
avg_rec_packet_size <- from Minecraft Server process
dimension <- for each world the server hosts?
mode <- for each world the server hosts?
difficulty <- for each world the server hosts?
hardcore flag <- for each world the server hosts?
generator_name <- for each world the server hosts?
generator_version <- for each world the server hosts?
height <- for each world the server hosts?
chunks_loaded <- for each world the server hosts?
Snapshot 12w19a:
snooper_token
os_name
os_version
os_architecture
java_version
version = 12w19a
jvm_args
memory_total
memory_max
memory_free
cpu_cores
players_current
players_max
players_seen
uses_auth
whitelist_enabled
whitelist_count
gui_state
avg_tick_ms <- NEW
avg_sent_packet_count
avg_sent_packet_size
avg_rec_packet_count
avg_rec_packet_size
For each world:
dimension
mode
difficulty
hardcore flag
generator_name
generator_version
height
chunks_loaded
Number of worlds
singleplayer flag <- NEW
server_brand
gui_supported <- NEW
Snapshot 12w22a
As for 12w19a.
What information is available in the 'jvm_args'?
From v1.3.2 the explicitly collected information can be viewed in the "snooper settings" option on the client. The server has no equivalent but runs the same classes and methods so the keys and values can be inferred.
Before v1.3.2, potentially the profile (i.e. local login) name of the user logged into the operating system will be available to Mojang, and anyone able to intercept the traffic. This is because the path to the working directory is available. Here is an example from my Windows XP machine with the account name and session ID (?) masked:
How do I disable snooping?
A disable option was suggested when snooping was first proposed. It did not exist until v1.3 and can now be found under "snooper settings" on the client. It defaults to "on", guaranteeing one data packet for new installations unless other measures are taken.
Instead, edit your hosts file and add an entry that redirects snoop.minecraft.net to 127.0.0.1. This prevents the Minecraft Server connecting to the central data collector.
On Windows
If you have any difficulty with this process, go phone the person in your family who knows about computers and ask for help. Tell them the Internet told you to call:
1. Go to the command prompt Check: if you cannot do this, do not go any further 2. type cd \windows\system32\drivers\etc Check: You should now be in directory C:\WINDOWS\system32\drivers\etc> 3. Type dir Check: you should see a file called hosts 4. Type copy hosts hosts.bak Check: type dir and make sure there is a file called hosts.bak and it has todays date and a recent timestamp Do not go further if you cannot confirm all the 'checks' above 5. Type edit hosts Check: the editor will start 6. Add this line: 127.0.0.1 snoop.minecraft.net 7. Save the file and exit the program. This returns to the command prompt. Check: if you cannot work out how to save the file, stop and ask for help. 8. Type ping snoop.minecraft.net Check: You should see output similar to below, and you are done. Start Minecraft Server again to have it take effect. The Java process spawning the server needs to be stopped because some JVM's cache DNS lookups indefinitely for performance reasons - so if you use a funky launcher you may need to restart the launcher instead.
C:\WINDOWS\system32\drivers\etc>ping snoop.minecraft.net
Pinging snoop.minecraft.net [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:[/b]
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
"Tell your Mum or Dad if you see something online that upsets you, or if someone makes you feel unhappy. You can also talk to a trusted adult like a teacher: they can help.
Hide your password. Only ever share it with your parents – never with your friends. Someone else could go online pretending to be you and do something that could get you into trouble.
Interesting websites can be fun. Check with Mum or Dad if a site is okay to use before you visit. Sometimes they can set up a good list of sites just for you.
Name calling or being mean is not cool and could be cyberbullying. Be nice when talking to online or over the phone. Look out for yourself and for others..
Keep your special personal information safe. Never give your real name, address or phone number to anyone you don’t know in the real world. Use a nickname in chat rooms or when you play games on the computer."
What is not safe information to share in server chat?
Never share your real name, address, and phone number. Also never share information about your friends and family. You may know the person you are talking with on a multiplayer server, but you do not know what level of logging is on the server, and you cannot predict where any server logs might end up.
Ever join a server, especially PVP servers, and have people swearing all over the place? It can be a bad influence for children playing this normally family-friendly game. This mod will bleep out those words or delete the message entirely.
This is a client mod, so it doesn't matter if the server supports it or not. It comes with it's own configuration file so that you can change the swear word list or what happens when someone swears.
There are no dependencies. You don't need modloader.
Lots of interesting info here, good job compiling it. Also, bonus points for including relevant XKCD comics.
Too bad this will all be way over the heads of 98% of the people reading it...
Thanks Divinus, though I am actually secretly hoping some of the more problematic things will be addressed by the Mojangs. My pick list is:
1. Snooping packets include JVM arguments, which on Windows can include the profile name in the classpath, which can be a real name, which is a concern if it reveals the identity of a kid. This is a bad idea for a number of reasons and only the required JVM info required should be delivered, not everything that is available as it is currently implemented in the snapshots. It's an unencrypted channel to Mojangs servers, and I presume not encrypted in storage on their servers.
2. the chat in the server logs is unencrypted and this has privacy implications.
I am heartened that a Bouncy Castle implementation is bundled now, and I expect improvements over time,
Until then I've locked out snoop.minecraft.net on the local PCs my family use for MInecraft.
This thread is for the purpose of compiling an FAQ on real-world Security and Privacy information relating to the Minecraft client and server.
This is not a thread about griefing. It was prompted by two events - the first is the introduction of distributed data collection from the Minecraft Server and client. The second was a posting that turned up with Minecraft account details on Tumblr.
Contribute as you are able.
TODO: Add threat and risk assessments.
Cryptography
As of Snapshot 12w19a, Minecraft ships with and uses the Bouncy Castle cryptography provider, complete with X509 certificate usage.
Passwords and Password Strength
Where is the password saved when I select 'Remember Password'? How secure is it?
(TBD)
Remember Password discussion on Reddit: http://www.reddit.co...bad_encryption/
Changing passwords regularly:
(TBD - How)
Characteristics of Good passwords:
How do I verify my client is the one Mojang built?
(TBD - MD5 usage)
How can I tell if someone is stealing my login?
Google your minecraft user name and see where your information is being circulated.
How secure is the client / server communication?
The login request and subsequent exchange of serialised data uses HTTPS, however the username is cleartext.
How secure is chat?
The messages exchanged between client and server are sent over an encrypted channel as they are issued at runtime.
All text the player types, including those using the '/say' command, are logged to the server.log in the Minecraft Server directory and are in clear text.
How does the server verify my user account is premium?
Through a post to http://session.minec...jsp?user=<login name>
Server Snooping
Reddit thread: http://www.reddit.co..._data_and_made/
What is Snooping?
The Minecraft Server process sends a packet of usage data to the server snoop.minecraft.net regularly when the server is running. The protocal used is HTTP.
Does it still snoop when the server is in offline mode?
Yes.
Can I choose what information to send?
No.
Can I opt out with an in-game option or profile setting?
Yes, from v1.3.2. Prior to this, the only available option was to add a dummy hosts entry.
What is collected?
By version, as follows:
v1.2.5:
Here is a sample http post to snoop.minecraft.net:
This is the response:
Here is a second post from the server to snoop.minecraft.net 30 seconds later:
and the response:
Snapshot 12w18a:
What information is available in the 'jvm_args'?
From v1.3.2 the explicitly collected information can be viewed in the "snooper settings" option on the client. The server has no equivalent but runs the same classes and methods so the keys and values can be inferred.
Before v1.3.2, potentially the profile (i.e. local login) name of the user logged into the operating system will be available to Mojang, and anyone able to intercept the traffic. This is because the path to the working directory is available. Here is an example from my Windows XP machine with the account name and session ID (?) masked:
Note also that the Minecraft account name is posted, as is either a session ID or a hashed password (NEEDS REVIEW AND CONFIRMATION)
What else is available to Mojang, or people using network probes?
http://www.minecraft...0#entry14729576
How do I disable snooping?
A disable option was suggested when snooping was first proposed. It did not exist until v1.3 and can now be found under "snooper settings" on the client. It defaults to "on", guaranteeing one data packet for new installations unless other measures are taken.
Instead, edit your hosts file and add an entry that redirects snoop.minecraft.net to 127.0.0.1. This prevents the Minecraft Server connecting to the central data collector.
On Windows
If you have any difficulty with this process, go phone the person in your family who knows about computers and ask for help. Tell them the Internet told you to call:
1. Go to the command prompt
Check: if you cannot do this, do not go any further
2. type cd \windows\system32\drivers\etc
Check: You should now be in directory C:\WINDOWS\system32\drivers\etc>
3. Type dir
Check: you should see a file called hosts
4. Type copy hosts hosts.bak
Check: type dir and make sure there is a file called hosts.bak and it has todays date and a recent timestamp
Do not go further if you cannot confirm all the 'checks' above
5. Type edit hosts
Check: the editor will start
6. Add this line: 127.0.0.1 snoop.minecraft.net
7. Save the file and exit the program. This returns to the command prompt.
Check: if you cannot work out how to save the file, stop and ask for help.
8. Type ping snoop.minecraft.net
Check: You should see output similar to below, and you are done. Start Minecraft Server again to have it take effect. The Java process spawning the server needs to be stopped because some JVM's cache DNS lookups indefinitely for performance reasons - so if you use a funky launcher you may need to restart the launcher instead.
Good Online Behaviours
Read this: http://www.cybersmar...cybersmart.aspx
"Tell your Mum or Dad if you see something online that upsets you, or if someone makes you feel unhappy. You can also talk to a trusted adult like a teacher: they can help.
Hide your password. Only ever share it with your parents – never with your friends. Someone else could go online pretending to be you and do something that could get you into trouble.
Interesting websites can be fun. Check with Mum or Dad if a site is okay to use before you visit. Sometimes they can set up a good list of sites just for you.
Name calling or being mean is not cool and could be cyberbullying. Be nice when talking to online or over the phone. Look out for yourself and for others..
Keep your special personal information safe. Never give your real name, address or phone number to anyone you don’t know in the real world. Use a nickname in chat rooms or when you play games on the computer."
What is not safe information to share in server chat?
Never share your real name, address, and phone number. Also never share information about your friends and family. You may know the person you are talking with on a multiplayer server, but you do not know what level of logging is on the server, and you cannot predict where any server logs might end up.
More tips at http://www.cybersmart.gov.au/
Server Features
(TBD: RCON / query)
(TBD: Log files and contents)
(TBD: Player data)
File transfers through automatic Texture Pack downloading: http://www.reddit.com/r/Minecraft/comments/16xoox/til_you_can_send_any_file_in_a_zip_over_minecraft/
Links to tools
_________________________________________________________________
A shout out to Quazimortal who drew out some of the areas for attention in this FAQ.
http://www.minecraftforum.net/topic/1314911-125-safechat/
Too bad this will all be way over the heads of 98% of the people reading it...
Thanks Divinus, though I am actually secretly hoping some of the more problematic things will be addressed by the Mojangs. My pick list is:
1. Snooping packets include JVM arguments, which on Windows can include the profile name in the classpath, which can be a real name, which is a concern if it reveals the identity of a kid. This is a bad idea for a number of reasons and only the required JVM info required should be delivered, not everything that is available as it is currently implemented in the snapshots. It's an unencrypted channel to Mojangs servers, and I presume not encrypted in storage on their servers.
2. the chat in the server logs is unencrypted and this has privacy implications.
I am heartened that a Bouncy Castle implementation is bundled now, and I expect improvements over time,
Until then I've locked out snoop.minecraft.net on the local PCs my family use for MInecraft.