Security Issues and Disclaimers
As you know, any activity on the Internet poses certain security
risks. We are making every effort to protect VROC and its users
from hostile attacks, but no Internet activity such as VROC can
be totally secure.
The creators of VROC assume no responsibility for any damage
or loss arising out of the use of VROC. By accessing the VROC
Web site, you agree to this condition. Use VROC at your
own risk!
Here are some security issues of which you should be aware.
IP Address Exposure
In the bad old days before VROC 1.1, if you host a race using
VROC, all users joining your race could see your IP address.
Hostile users could conceivably have used this information to
attack your machine. Now, we conceal this from the user, and
in addition we encrypt it when we send it back and forth between
the server and client.
Viruses and Trojan Horses
In order to allow you to host and join races, VROC must be
able to launch a program (the sim). In order to retrieve the
race list containing information about other users running servers,
VROC must be able to open a connection to the VROC server, as
well as sending and receiving TCP/IP packets to and from other
users.
These activities require you to over-ride your browser's default
security behavior and grant the VROC applet permission to perform
these actions.
While VROC has been designed to scrupulously avoid any potentially
damaging actions, it is possible for hostile programs to attach
themselves to software such as VROC's. Granting any applet these
permissions, therefore, does entail a certain risk.
VROC uses a Java applet signed with an electronic security
certificate. This assures you that the VROC applet has been tested
for viruses and other hostile entities using the latest version
of a commercially available virus-checking package.
However, we cannot guarantee that a virus or other hostile
component has not eluded our virus-checking software.
How VROC Uses Its Permissions
When you enter a race room for the first time, you will be
asked by Netscape or IE whether you will grant permissions to
VROC. These are used by VROC for the following purposes:
- Launching the sim
To launch a program on your computer, the applet needs the permissions
UniversalExecAccess (Netscape) and EXEC (IE).
- Local IP address
To obtain your local IP address, which is needed for communication
between computers to connect and race, the applet needs UniversalConnect
(Netscape) and NETIO (IE).
- Latency ("ping")
To allow clients to "ping" the hosts, the host computer
needs UniversalListen (Netscape) and NETIO (IE). In earlier VROC
incarnations, we used DOS/Windows' ping.exe program (requiring
execution privileges). When we began to support IE, however,
we found that IE dealt poorly with this approach. Therefore we
switched to an internal approach based using TCP-IP sockets.
- Options storing
For speed and reliability, we now store your options data in
a .ini file on your computer rather than in a cookie. For this,
the applet needs UniversalFileAccess (Netscape) and FILEIO (IE).
|