VROC: Virtual Racers' Online Connection

Security Issues and Disclaimers

As you know, any activity on the Internet poses certain security risks. We are making every effort to protect VROC and its users from hostile attacks, but no Internet activity such as VROC can be totally secure.

The creators of VROC assume no responsibility for any damage or loss arising out of the use of VROC. By accessing the VROC Web site, you agree to this condition. Use VROC at your own risk!

Here are some security issues of which you should be aware.

IP Address Exposure

In the bad old days before VROC 1.1, if you host a race using VROC, all users joining your race could see your IP address. Hostile users could conceivably have used this information to attack your machine. Now, we conceal this from the user, and in addition we encrypt it when we send it back and forth between the server and client.

Viruses and Trojan Horses

In order to allow you to host and join races, VROC must be able to launch a program (the sim). In order to retrieve the race list containing information about other users running servers, VROC must be able to open a connection to the VROC server, as well as sending and receiving TCP/IP packets to and from other users.

These activities require you to over-ride your browser's default security behavior and grant the VROC applet permission to perform these actions.

While VROC has been designed to scrupulously avoid any potentially damaging actions, it is possible for hostile programs to attach themselves to software such as VROC's. Granting any applet these permissions, therefore, does entail a certain risk.

VROC uses a Java applet signed with an electronic security certificate. This assures you that the VROC applet has been tested for viruses and other hostile entities using the latest version of a commercially available virus-checking package.

However, we cannot guarantee that a virus or other hostile component has not eluded our virus-checking software.

How VROC Uses Its Permissions

When you enter a race room for the first time, you will be asked by Netscape or IE whether you will grant permissions to VROC. These are used by VROC for the following purposes:

  1. Launching the sim

    To launch a program on your computer, the applet needs the permissions UniversalExecAccess (Netscape) and EXEC (IE).

  2. Local IP address

    To obtain your local IP address, which is needed for communication between computers to connect and race, the applet needs UniversalConnect (Netscape) and NETIO (IE).

  3. Latency ("ping")

    To allow clients to "ping" the hosts, the host computer needs UniversalListen (Netscape) and NETIO (IE). In earlier VROC incarnations, we used DOS/Windows' ping.exe program (requiring execution privileges). When we began to support IE, however, we found that IE dealt poorly with this approach. Therefore we switched to an internal approach based using TCP-IP sockets.

  4. Options storing

    For speed and reliability, we now store your options data in a .ini file on your computer rather than in a cookie. For this, the applet needs UniversalFileAccess (Netscape) and FILEIO (IE).