Hey,
Replays is a very valuable thing for many WC3 players and there are a lot of archive replay websites. But one thing bothers me: I have no way to check whether replay is “real” or “fake”. The only reliable way to make such validation possible is to force Blizzard servers to sign some data in it.
You can argue that probably nobody tries to make fake replays, what’s the point? But imagine website that records a history of games of specific players or specific map replays. Just a single hacker may flood the website with a fake replays (edited player names/ids, for instance) to increase his own stats or something like this.
AFAIK, custom games are not hosted by Blizzard servers themselves, but Blizzard may require to send some sort of game metadata before game starts from every player in it such as another player ids, map name, map hash, etc. Blizzard would sign these data + current timestamp and response with this signature to every player. Then every N minutes players have to repeat the same by sending some synced value to Blizzard signature server. It should be enough to make more or less reliable way to validate replays.
1 Like
What kind of games would need this feature? DoTA 1?
1 Like
Any kind of online games. Currently, replays are falsifiable. Technically. It’s kinda problematic to edit replay just because checksum algorithm of compressed blocks in replay is obscure for majority of people. But security through obscurity never works.
1 Like
That’s a reasonable idea, although I’m not sure if giving this team any more work is a good idea, if they’re still alive.
I’m not sure what you gain from repeatedly signing a sync’d value from all players during play - unless you’re just trying to validate those that leave partway. If blizzard just signs to verify that players ABC reported matching final sync’d replay hashes with an approximately accurate duration since the game began, and that players ABCD began it, that’s about as validated as you can get. Also, pausing might make the time check less useful.
It’d also be technically possible to create a fake non-blizz-hosted replay earlier then falsely report it to the server if all players are in on it, but I suppose that’s not likely to be a big problem.
1 Like
I’m not sure what you gain from repeatedly signing a sync’d value from all players during play - unless you’re just trying to validate those that leave partway.
As less players stay in-game as less trustworthy would be the final replay. For example, you have 5v5 game, but 4 players are in the same team of “hackers”. They can kick all other players and “fake” replay, even by imitating the all kicked players were still in-game, but then one-by-one lost connection.
If blizzard just signs to verify that players ABC reported matching final sync’d replay hashes with an approximately accurate duration since the game began
It’s the best algo in theory, but I’m afraid it’s very unstable in practice. Like I said above, if player lost connection totally (can’t reconnect), he has no way to send sync signal, but it must not be a reason to reject replay otherwise players would just abuse it.
It’d also be technically possible to create a fake non-blizz-hosted replay earlier then falsely report it to the server if all players are in on it, but I suppose that’s not likely to be a big problem.
Well, every player would have it’s own level of trust and if you spot many replays by people who play exclusively with unknown random players, then you can reject such replays and ban players (on your website with replays).