Posted 16 September 2004 - 05:36 PM
So I have read all the posts and this is my point of view :
- You want to send byte code over IP
- You cannot trust client side because some bad guys wants to do what they have to do, bad work, neither you can trust server because bad guys wants to also do their bad work.
The question is :
Why all of those bad guys wants to crash your application ?
If your a client, you don't have really interest in crashing your computer, don't you ?
If your a server you can have interest in crashing your server ? no I don't think so too, but, you can have interest in crash the clients connecting to you ! To do this, your server must be knowed by client ...
So, my point of view wont be to secure scripts, but rather secure your application outside the script part.
Both client and server must trust each other, so, they have to aknowledge each other :
Client : Hello server, my program is version X, with a checksum of Y and I run with ScriptVersion Z. What is your versionS ?
Server : Hello client, you are connecting server version X, with checksum of Y and I run ScriptVersion Z.
Now that client and server knows their versions, checksum, or whatever they want to check (graphic card abilities, processor, memory, etc...) they can trust each other.
Also, timestamping and versionning the messages between client and server can lead to disconnection when timeout comes (bad guy debbuging !).