Its a lot harder than you think. With the game services exposed via a public port then I have a direct attack vector. I.e. the port. If I have to run everything through the proxy server then it will take longer, and you're more likely to notice.
Definitely, and we could keep adding different proxies between the entry point and the game to make it even harder to find an exploit.
I'm not saying that this is bad, just that the cost in development/architecture/latency has to be balanced against the gain for hacker to access the system.
Encrypted how? If i'm ON the server then I can read anything the SERVER can read. I can also poke around in memory and simply grab the decrypted keys, or even skip that and grab the decrypted configuration file.
Oh, the config is in plain text, but the particular value of the key needs to be decrypted to work. It's decrypted in memory of course, but since the key is simply a random value, you'd probably want to grab the java classes and reverse engineer those first in order to see where that's stored. Again, not impossible, but adds at least a day of work (for someone who's already reverse-engineered the entire protocol).
Since generating a new cert is trivial - it's then simply a matter of pushing out new clients - an attacker would need to work fast to put it to any use. Once a breach is discovered, changing cert + resetting passcodes removes any future gain for the attacker. Since the passcodes are just random numbers, the only permanent gain an attacker would have would be if they changed account data.
Again, for a different game this would be a much greater problem.