Rhys B
Assigned
Reported
Comments
We are currently utilizing a dedicated server from OVH. Additionally, we have attempted to utilize different external IP addresses for API requests in completely different subnets and have still encountered the issue.
We will attempt to utilize the API endpoints you have provided and see if it resolves the issue.
I’ll report back with my findings.
Yes, it is undesirable for HTTP to be utilized for the token in 2022, but it is just a token. If it were usernames/passwords, then that would be a big problem. Sniffing attacks present a security risk, especially for users utilizing public/shared connections. Being realistic though, I doubt a threat actor exists that is listening in on public WiFi in hopes of someone utilizing Legacy Minecraft so they can steal their token and change their skin and join some premium servers on that name.
The more significant risk is that Alpha & Beta versions of the game do not have any encryption regarding communication between the server and the client. That means the current cracked solution of utilizing /login and /register commands is probably a much larger risk to end users as those passwords could be intercepted and could be used on some of their other accounts, such as emails, bank accounts, etc.
I hope Codie's solution is adopted, as it is probably the easiest and safest; however, due to the issues with Legacy Launcher, it is unlikely to receive an update anytime soon. Thus, I believe any method, including tokens over HTTP is still a significant advancement in security for the Legacy community.
The idea of community-based cracked infrastructure might have to come to fruition; however, many servers desire to operate in online mode. One of our most significant administrative burdens is when people ban evade, alongside dealing with name squatting. Mojang supported authentication is one of the easiest ways to reduce administrative burdens, with Mojang ensuring everyone playing online owns the game. I know Legacy Minecraft has become a bit of a haven for cracked players; however, as a server owner, I much rather drop this portion of the player base that causes a disproportionate amount of issues on servers and create a safer environment for my players.
Solutions like Beta Evolutions allow for hybrid authentication with modified clients/launchers; however, servers see significant drops in player counts when they require third-party software. Further, on this point, a Mojang lead solution will be more secure as users don't need to download third-party clients/software, which could be a potential risk/attack vector.
I believe forced migration shouldn't factor into anyone's opinion on this. It is still better for this issue to be solved and give servers the choice of online mode. Worst case, servers can work on hybrid authentication solutions for specific users who don't want to migrate.
Actually include the correct URLs for the server-side of authentication.
I agree with what himblez has said regarding communication from Mojang. Most users I have talked to are concerned about how seriously Mojang takes issues on this site with some “critical” and “important” issues going for years without being resolved. We have been incredibly lucky to get a message from a Mojang employee considering many of these critical and important tickets go ignored. At the moment Wenlan Yang has stated “Unfortunately we do not have ETA right now. Sorry about that.”, however, that doesn’t sound like they have investigated or approved fixing this bug yet. I would personally love a clear response regarding if they “will look into it”, “will fix the issue” or “issue won’t be fixed” so we can plan for the future.
Would love to know if Mojang is still planning to do this so we can plan development.
Hello,
I currently have been operating another large Beta server since 2016 and have experienced how active the community is. An entire community has formed around Legacy versions with players making servers, mods, and fixes for bugs. Our server has seen at least 15 thousand members since late 2018 with our stats system recording 34k playtime hours over the last 10 months proving people's interest in the Legacy community. Sadly servers have been long plagued with cracked and alternative accounts that can destroy communities for everyone. I am sure everyone understands that Beta and Alpha are 8+ years old but please help us.
I know Alpha, Beta, and some early release versions are affected.
Since implementing the new API endpoint URLs, we haven’t experienced any API errors.
Due to the instability of the old endpoints Mojang should either disable them or make them more stable however.
I would still consider this as a valid bug/ticket until the old endpoints get fixed or removed.