To keep my login system simpler I’d like to handle all the hashing on my server side.
Will it be possible for a user to steal a JSON request leaving UE4? If a hacker captures the JSON they can capture the php script query syntax and they can try to brute force.
I’m using this plugin
to create Rest requests.
It’s as simple as installing and running “Wireshark” app.
Security through obscurity is not security at all.
Yes, it is but that is generally possible for any application. You would have to use encryption like SSL to prevent the kind of attack you are talking about, but as @eblade mentions, you should instead design your authentication protocol to be robust against that kind of attack… Preventing brute force attacks is often done by (exponentially increasing) timeouts, for example…
Suggestion instead of using HTTP why not use raw TCP? Basically even if someone had fiddler, etc, they would still have to have the actual knowledge to capture the packets, assemble them, and read them out. You could have 3 Packets sent, 1 which starts the acceptence for the login, 1 that is the login information, and 1 that is the end of the login or this could all be in 1 packet and use simple AES. Ive done this for a Mobile MMO specifically to stop people from just making a bot. :x
You should use HTTPS if you’re doing anything with web type traffic. WSS if you’re doing anything with websockets. Encrypted communications are pretty easy to do. That’ll pretty much prevent wireshark and man-in-the-middle types of prevention. But if someone who has your game wants to access the info, they’ve got the binaries, they can find the strings inside it. You can encrypt the strings, if you want, but that just adds more junk to it.
You should use proper authentication and encryption, rather than depending on hoping that no one can figure out your schema.