Gil.9346:

Hi,
I’m creating an overlay right now using the API, MumbleLink and my own server.
I have the positions of WvW players on my server sent from the overlay client, doing some kind of grouping and send position information back (not all).

I want to asure noone can get this informations without my overlay client and that the client cannot be compromized to reveal enemy players positions.

Basicly I will use SSL for connection of course, I will also use client obfuscation and an encrypted data format to protect the data connection.

But I also need two more things from the MumbleLink data to verify the sent information and authenticate the user.

First I need the HomeWorldId. The worldId is currently not set when 1) on overflow 2) in WvW. I will ask the user to login to his homeworld when the client starts for the very first time to get the id, but this can be fooled by guesting on another server, switching back, logging into an overflow map and then join WvW via the portals in LA or directly for example. I simple don’t want to look after the worldId and save it to the registry or exclude players that are on a overflow map, so please add the HomeWorldId to the Players identity or make sure the correct worldId is set in WvW. That would be even easier

Second the MumbleLink Data itself can be manipulated by creating a little program, let GW2 run to bypass process check and write the data by yourself. As my overlay client cannot check for the vality of tha data and the game write to MumbleLink only when yours actually on a map this can be used to pretend another worldId and doesn’t even require to hack the overlay client.

So can GW2 include some kind of fingerprint that then can be checked against the API to verify that a player is actually really on a map in game? I think that would be enough to protect the players positions. Correct me if I’m wrong.

These are my basic concerns before I can release a serious overlay application into the wild that hopefully many will use to expand their WvW experience and noone can compromize (I hope).

Please help me with those issues, thank you very much.

Greetings,
Gil/Comes Mors

Elona Reach[DE]

PS: I’m not good at math. Has someone a simple example how to get the direction the player is looking in degrees relative to the north (= 0°, South= 180°) from MumbleLink data (which field)? Cannot search the forum afaik. Thanks!

smiley.1438:

Regarding security: If you use the concept of a “shared key”, “stealing” data is pretty impossible – this was also one of my concerns. Regarding maths’n’stuff, have a look at mine and Heimdall’s repos over here (or this thread too):

https://gw2apicpp.codeplex.com/ (C++ Mumble link part)

https://gw2apicpp.codeplex.com/SourceControl/latest#GW2API_Upload/Gw2Maps/Position.cpp

	//Avatar View
	sprintf_s(num, NUM_SIZE, "%s%d,", J_AVATAR_FRONT, mod((atan2(image.fAvatarFront[2], image.fAvatarFront[0])*180/PI), 360));

https://github.com/codemasher/gw2api-tools/blob/master/examples/gw2location-receiver.php (receiver for the Mumble link data)
https://github.com/codemasher/gw2api-tools/blob/master/sql/gw2_player_pos.sql (SQL database schema)
https://github.com/codemasher/gw2api-tools/blob/master/examples/gw2location.html (web frontend)
https://github.com/codemasher/gw2api-tools/blob/master/examples/gw2location-ajax.php (ajax part of the web frontend)

Gil.9346:

Thank you for your answer. Heimdall has contacted me by PM also (I wrote back yesterday)

The purpose of my overlay is exactly to view multiple groups/all groups on a map. Thus I just want the player to select a color and he/she is done. “Shared Keys” are a good solution for closed groups but not for my purpose I think.

So the secret key is in my case the not so secret worldId + mapId. If I can have those two by the mumble always correct (no worldId in WvW/on Overflow) and I can asure it cannot be faked (my second point about the fingerprint) there would be no need to even interact with the overlay at all.

Can I please ask a developer to look into those issues. As long as the worldId is not set everywhere or I can get the Home WorldId and as long as there is no way to verify the MumbleLink Data is actually really from GW2 I cannot release my overlay.

Thank you and Greetings,
Gil/Comes Mors

Terrasque.8735:

  1. Register user
  2. Give user unique key
  3. Let user input that in the position program
  4. Players with admin right to relevant group(s) can add him via username