Multiplayer Protocol Failness (@Redigit) Fix Multiplayer Security!

Problem!

Terraria's Multiplayer Protocol gives the client way too much control over the enviroment and actions it can perform, more of this needs to be server side simulated in order to stop the griefing, cheating, and multiplayer abuse issue at the root and once and for all!

Technical Docs/List:
https://docs.google.com/spreadsheet...DNfcWVwUkhjcUFrLTI1eS01cG1fR0E&hl=en_US#gid=3

Suggestion?

Go minecraft style, Server side inventories mode, players submit actions like switch item and left/right click at x and y.
Seriously, don't let the client be in control of that stuff.

Refer to minecraft's protocol:
http://mc.kev009.com/Protocol

This. Fix it now Redigit, KThx.

Supported By:
TShock Development Team:
http://tshock.co/xf/index.php?threads/terraria-server-security.465/

TDSM Development Team:
http://tdsm.org/index.php/topic,734.0.html

Adrenic and ADSM:
http://adrenic.net/forum/threads/444/

-Zidonuke

Agreed, protocol allows for the client to be overpowered.

Redigit is too lazy~

Would like to mention thanks to TShock for supporting this feedback!

http://tshock.co/xf/index.php?threads/terraria-server-security.465/

Yes please, i recorded this hacker on our server blowing everyone even though explosives were banned and all... This is unacceptable... Please do something, terraria multiplayer is getting less people...

I'm just gonna go ahead and say I disagree with everything in this thread since the point I was gonna make loops back to general disagreement.

Thanks to TDSM for supporting this issue, read about it here!
http://tdsm.org/index.php/topic,734.0.html

Explain.. fan boy's think redigit is some sort of idol. Putting a server around try-catch statements, does not solve exploits. The Terraria protocol means players can run rampant across servers. Its a disgrace to coders.

What try-catch statements?

You know for a fact that Redigit knows the problem. You should also realize they will probably not do anything at all about it until sometime after the holiday update. If even then. Snowmen with Fedoras are more important, ya'know?

My community depends on our server being secure to prevent people from ruining the experience.
My first time ever playing Terraria I joined a server and immediately someone named dynamitefun joined and spawned dynamite everywhere.

I love single player but once you beat the game single player gets old. In order to keep the players playing and interested you need mutliplayer, and this game being in its current state is unplayable on multiplayer.

I believe that most people that play online would agree the servers need more control and the clients limited.

I fully support this as well. Just this morning I had to reload my map because a griefer used an exploit in the Terraria protocol to generate explosions without building permissions. Allow me to show you what the spawn looked like afterwards.



That hole goes all the way down to the underworld. The server runs TShock and requires users to be approved to build, yet because of the security flaws with Terraria's protocol anyone with the right griefing client would be able to do this, on virtually any server they can join. Anyone else see a problem with this? I sure do.

This needs fixing

Mother of GOD bumpin.

Definetly needs to be fixed.

Im curious as to why the creators of terraria do not want to address these exploits? I'm no coder, but almost every other multuplayer online game that i do play tries to proactively stay in front of these types of exploits. This appears to be very simple in nature though and leaves me to wonder what the purpose of multiplayer terraria is. I run a public server but it doesnt seem that is what Red really wants with this game.

The client has that much control?

Shit, I don't know jack about multiplayer programming(nor client/server interaction programming), but even I know that's a no no.

As much as I support the idea of this thread, unfortunately unless Redigit intends to actually do something about this, this thread is likely to just give griefers more knowledge of what they can do.

That link to the exploits is public and handed out everywhere by the Tshock team, potentially all other server modders do the same. Zid released his exploit client mod yesterday( was closed because of the slight distribution of code ) but it shows how easy( relatively speaking ) to grief ALL servers, including modded ones. There is only so much we can fix without the client getting nerfed. Point is, its easy for griefers to get their hands on grief clients. It takes one person to fix the vanilla code, and lets be honest, people have thrown themselves at redigit telling him THEY will fix it for him. What more could a guy sitting on piles of cash want than people asking to do his job for free.

I hear you Olink. This is very disturbing...this kind of stuff should never have existed...but even now that it does, it's even worse that Redigit isn't doing anything to fix it...or even letting others do it for him. Terraria is a fun game, but it's honestly all in the Multiplayer, and with it in this state...*sigh*

Truly a shame.

well i think its partly because they did not mean for terraria to sell as a multi player game. Terraria sells more as a single player or small co-op game rather than full pledged multi player game. i.e. Terraria devs don't make money from people playing multi player at all. They don't host large servers and charge money for it. They just make the game. And in order to make money from the game they need to make it more alluring to people who haven't bought it yet, thus it would stand to reason that adding new content (as long as it doesn't make the game unplayable) would always come first rather than fixing security exploits. The point being : They don't make money from old players, they make money from new ones, and having these many security exploits multiplayer side doesn't affect they're sales by much i'd reckon. Put yourself in a prospective buyer's shoes. Would you deter from buying this game just because it has some issues in multiplayer? probably not. You'd most likely still wanna try it out and play single player. howver like some people on this thread already said, SP gets old fast once you've cleared it. So people tend to inevitably head to multiplayer or just stop playing the game at all. However looking from the dev's stand point, this is not even considered a loss since that player already bought their game.