FS#4714 - Client ID

Attached to Project: OpenTTD
Opened by Ben (Sc00by22) - Friday, 05 August 2011, 16:23 GMT
Last edited by andythenorth (andythenorth) - Tuesday, 15 August 2017, 19:15 GMT
Type Feature Request
Category Network
Status Closed
Assigned To andythenorth (andythenorth)
Operating System All
Severity Medium
Priority Normal
Reported Version 1.1.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


Currently there is no unique identifier for a client, this brings up some obvious problems when it comes to banning users. Banning by IP address is only a temporary thing because most users will have a dynamic IP, the only way to stop them coming back at the moment is banning their entire IP range, which has side-effects. What I suggest is that each client has some kind of unique identifier to make it easier to ban people, this could be generated with some sort of algorithm using their MAC address or similar identifier that it is truly uniueq. Of course this could still be broken but only experienced users will be able to do it.
This task depends upon

Closed by  andythenorth (andythenorth)
Tuesday, 15 August 2017, 19:15 GMT
Reason for closing:  Won't implement
Additional comments about closing:  Client-side security is a fool's errand. Any system can be trivially circumvented by anyone with experience.

Also Flyspray clean up: more than 5 years old, and not obvious what should be done with this next, so closing. If this offends, discuss with andythenorth in irc. Thanks.
Comment by Alberth (Alberth) - Saturday, 06 August 2011, 07:49 GMT
Unfortunately, so far nobody has been able to come up with a good enough way to produce an unique identification that cannot be easily spoofed.
Many proposals rest on the idea that a 'bad' person plays by the rules, which is simply not true. (Otherwise, he would not be considered 'bad', would he?)

Until a way has been found (which I personally believe to be close to impossible), you'll have to use non-technical means to solve the problem.
Comment by Remko Bijker (Rubidium) - Saturday, 06 August 2011, 08:21 GMT
We have had such an unique ID for clients, however... those that were doing the bad things just changed the ID an rejoined to do bad things. Out of this history I deduce that people capable of changing the unique ID are also capable of wanting to destroy your game.

Even then, the MAC address is not unique. All and any method to generate an unique number can be modified at will be the person doing the bad stuff, i.e. it would be trivial to change the unique number to something generated everytime OpenTTD starts.

Alternatively you could think: heh, just make an account system where people have to make an account. Then we can just ban those accounts. Again, creating a new account is trivial. Email addresses are easily created, and as you said IP addresses as well. So there is no way to uniquely identify someone with that.

All in all, there is no method of uniquely identifying someone.
Comment by Ben (Sc00by22) - Saturday, 06 August 2011, 21:55 GMT
I know that it COULD be broken, but not everybody will know how to change their unique ID, it's better than nothing at all to be honest.
Comment by Ingo von Borstel (planetmaker) - Monday, 08 August 2011, 17:30 GMT
The knowledge that you get a new ID when you simply re-install the game is not that far-fetched and hard to guess nor try.
Comment by Ben (Sc00by22) - Monday, 08 August 2011, 17:32 GMT
Who said anything about tying it to the install? That would be useless.
Comment by Alberth (Alberth) - Wednesday, 10 August 2011, 09:02 GMT
If we add an ID handling mechanism to the program, people will expect that it actually works. Since implementing a breakable ID mechanism doesn't work, people will swamp us with bug-reports with "the ID can be spoofed". We have no way to deal with those reports, since we don't have a non-breakable solution.

I think it is preferable to be clear that OpenTTD cannot replace active managing of a server and its community, rather than presenting a "solution" that does not actually work.

Until a good non-spoofable way to create unique IDs has been found, you are going to have to deal with those users that know how to break the ID generation.
Since you need to do that anyway, you might as well handle those users that are stopped by an ID in the same manner.

Comment by Radium Mercury (Radium) - Monday, 22 August 2011, 11:53 GMT
Try banning whole IP ranges. Dynamic IP will not help then. However, people might be smart enough to use a proxy!
Comment by Xander Hoogendoorn (xahodo) - Monday, 05 September 2011, 19:26 GMT
What if IP range banning is combined with specific nicknames? so, "yay" is still allowed in, but "boo" is banned, because of his IP range ban.

This can be made worse when you mix in mac address, hdd id and/or cpu type information. Not everybody knows how to (or is willing to) change this information when banned.