Best option for securing 1000+ websites (SSL)

My company manages well over 1000 sites for various clients. Currently, we are paying for a Standard DV certificate for each individual site ($ 94.99 from GoDaddy). We are easily spending over $ 100k per year on SSL certificates alone.

I know there has to be a better option when securing this many websites. From GoDaddy, there is an option for using their ACME Server and automating it, is this feasible for the amount of sites I have? Should I be using a wildcard cert for our company to secure our client sites?

Securing a replay-based leaderboard system (as much as possible)

A few years ago, I implemented a basic online leaderboard system in one of my games that sent encrypted score data over the wire. The encryption keys were stored in the game client’s binary. Of course, the leaderboards got hacked the same day they were released.

I have now released a new game on Steam, and I’ve worked hard to implement fully-deterministic game logic and a replay system.

The replay system works by simply replaying the user’s input that was recorded in a previous playthrough. The fully-deterministic game logic ensures that the replay will work on any machine, independently of the game’s FPS.

Now, it is time for me to implement online leaderboards.

My idea is to create a server version of the game executable which receives replay files over the network, replays them on some remote machine, and adds the score to a database if the replay data is valid.

While this prevents cheaters from simply sending a fake score to the server, it opens up many other cheating avenues, including:

  • Tool assisted creation of replays, either by slowing down the game speed or by manually crafting a replay file after reverse-engineering its format (the game is open-source).

  • Taking someone else’s replay and sending it over the network, changing data regarding who the replay belongs to.

I could somehow encrypt and compress the replay data before sending it over (or saving it on the user’s local machine), but since the game is open-source, it would be easy to reverse-engineer the encrypted replay format.

What is a good way of securing a replay-based online leaderboard system?

One possible idea I had is to have the server generate an encryption key / token for a specific user which is only valid for a small amount of time, send it over to the client, and only accept replays that are encrypted with that key. This would prevent users from uploading older replays to the server, but in theory it should work — am I missing something?

Securing internet connection with hostile ISP

Please excuse the lack of details, you can understand why. I have a friend in a foreign country who is certain that he is a surveillance target of his local government. Other people he knows in his same category have already had their internet connections spied on, and seen contents of their emails leaked. He refuses to use his local ISP because the government runs it, so he uses another means of internet but which is very unreliable.

He really would like to use a landline ISP for it’s stability, but knows he can’t trust it. I thought of setting him up with a serious firewall (like pfSense) with a permanent VPN tunnel to a provider that is based outside of his country.

Given these considerations, would this be a safe solution? Or rather if the ISP is compromised, are all bets off?

Just adding basic token by POST parameter for securing the API. It is safe?

Let’s say I have an address for an API like this:

mywebsite.com/api/mydata 

If accessed, a JSON will appear like this:

[   {     "id":"1",     "name":"John"   },   {     "id":"2",     "name":"Smith"   } ] 

The result defaults will be displaying the entire data if a post has no parameters. If you use post "ID" and the ID parameter value is one of the existing data in the API, it will only display objects from the data selected based on the ID. The API can be accessed by anyone. API needs to be accessed using token parameters to secure the data.

Let’s say I add a token parameter to be able to access data like this:

yourtoken="yourtoken"  if (post_param[token]==yourtoken) {   // Displaying JSON } 

so if you want to open the API, you need to add a token parameter.

Is simple security like this worth using? what vulnerabilities will arise if I use this? is there a better way than this?

Securing application server for a single user

I’m building some simple dashboard app for myself, but I want to have them on multiple devices – hence the server and front end. As I will be the only user who will access the application server, what security should I implement.

Stack: Postgres Ktor (Kotlin) server, HTTPS, only REST API Front end

I’ll run AWS Lightsail instance since I don’t need anything heavy. Postgres and application server will be there, with only ports 443 and 22 open. Front end will be on S3 with CloudFront.

I’m doing this because it’s easier for me to make a browser "app", than to make an Android app + something for desktop and keep them in sync.

I’ll be using the app from multiple networks. At home (where I don’t have a static IP, which would solve some of the problems), from mobile network, from work, when traveling to other countries, etc.

For background, I’ve been working on server for almost 3 years, Spring + Hibernate, Postgres. I have a fair knowledge of linux, hosting a server on it, some of AWS services and basic knowledge of database administration. I’ve done a bit of front end, but I’ll have to get back to that soon. I have almost no knowledge of security beyond basic JWT and SSH.

Can I use my own implementation of a widely used, supposedly secure cryptographic algorithm for securing data at rest?

I know you shouldn’t roll your own crypto and generally its not a good idea to implement (and then deploy) any extensively tested and recommended algorithms by yourself either.

I have already seen this question, and as far as I understand, the main problem with implementing things yourself is that you will probably remain vulnerable to a host of side-channel attacks.

But suppose I have already implemented AES (just for fun and as a learning experience). What if I now use that implementation for simply encrypting files locally (and then perhaps back them up on the cloud or on removable media)? Since nobody other than me would be using the implementation, most of the side channel attacks would not apply. For instance, since no attacker can request an encryption/decryption (the way it works with a server), no timing attack can be carried out. Would this scenario be sufficiently secure?

In other words would using my own implementation of AES provide security for data at rest or will using it still be a stupid idea?

Securing a Linux VPS: is it rational to be terrified?

Like so many others on the web, I’m an intermediate web developer who is starting to get into the security side of things and I’m looking to start running a VPS. For years, I’ve resisted the move to VPSs because of the security implications. There are many, many guides available on the internet and even questions on this StackExchange.

However, I’m still terrified about exposing the server by missing something (because as we all know just because somebody writes a blog post doesn’t mean they know what they’re talking about). Am I overreacting by making a mountain out of a molehill? Is hardening a VPS actually possible for a non-expert?

Securing media uploading to the cloud from reverse engineering

I own an RPG multiplayer game written in Java, where players can fight each other in the game.

Recently I planned to invent a new feature, where the last 15 seconds of your fight and the “knockout” will be saved and a gif will be created of the fight’s ending and automatically uploaded and can be linked to your account and viewed on the game’s website gallery.

Strategy I planned to use:

  1. Server sends a start-recording packet to the client to start recording the graphics buffer
  2. Client will clear the buffer and only keep the latest 15 seconds (X frames) of the current fight.
  3. When the fight ends, server sends stop-recording packet, this packet will contain a pre-signed URL generated by the server in which the client will use to upload the gif that the client will create in this step. the presigned URL will have the user’s ID encoded so that way it is linked, and a record will be created in the database aswell on the presign or on upload callback.

Might use AWS S3 as my storage.

What is the issue?

People can reverse-engineer my client, and can basically start fights and upload any gifs that they would want to, pornographic and unrelated content.

Is there a way, besides image-processing to solve this issue\?