Hello there my western friends today is a grievous day for all of us the whale has been lifted the future has been revealed and we are submerged into horrific awareness that minecraft the game we once loved and admired will never be the same again i wish not to be the bringer of this News but it is my obligation to speak the truth however unpleasant until it’s too late we have all been betrayed and we must know it All right on a less serious note this video is going to be about a couple of things i’m gonna start with some of the changes that were introduced in 1.19 specifically cryptographic signatures on chat messages as well as on the show secure chat option that was added along I’m gonna explain why that option doesn’t work as advertised and cannot actually help the user be sure of authenticity of received chat messages then i’m gonna cover the feature we were introduced to in snapshot 22w24a the infamous player chat reporting you know how that works on technical level And finally i will outline my thoughts on all this more specifically why am i so concerned with those features and why i think none of this should have been so i hope you’ll find my accent bearable for the next 20 minutes or so let’s get this done Now in order to understand how message signatures work in minecraft we have to first understand three things private key public key and signatures those are very basic terms in cryptography you can skip this part if you already know them for everyone else i will try to briefly explain what it is So signature something that can be generated against an arbitrary data using private key and then validated against the same data using public key the data analysis can be anything audio images executable files plain text basically anything that can be represented as a sequence of bytes since we’ll be working with chat Messages obviously we’re most interested in text but there’s going to be a couple other things that go into this as you’ve seen the public key is something that is derived from private key and allows you to verify that signature was generated using that private key without knowing What it is so if you have private key you can both generate and validate signatures but if you only have public key all you can do is take existing signature and see if it was generated against specific data using associated private key i realize a lot of this can sound Confusing and i’m skipping on a lot of details here but i’ll link a couple of sources in the description if you want to learn more for now we’ll try to work with this and hopefully it will make more sense further now let’s take a look at how all of this Is used and handled in the minecraft itself i would show you the actual code here but you know things are a bit um complicated in there so you know what let me show you a flowchart instead because as much as i hate it the technology behind this is Actually quite fascinating you know i learned a couple interesting things while i was trying to examine how it all works and here our journey begins way before we actually try to log in to any servers or load up any world our journey begins as soon as we try to start up our Client because at this point we communicate with modjang’s authentication service and we request a private key associated with our account and a public key that is derived from this private key now along with the public key will receive a signature that is issued by majing against this public key Using their own private key we don’t know what their private key is and we don’t have to know all we know is that it exists and they are the only entity in the possession of it this signature will prove important later now when we try to log in to a server We send to the server our public key and the signature that we received in this step what the server does then is once it receives that data it tries to verify the signature using the magink’s public key which it grabs from authentication library you have that as soon as you Download the game or as soon as you download the server distribution and by verifying the signature the server can be certain that the key you sent to it is actually issued by mahjang for existing minecraft account however what is important to notice in this step is that this signature is generated only Against public key it does not include any other data it does not include your account name your account id so the only thing is a server and by extension all other clients that will receive this data from the server can know about your public key is that it was issued to Existing minecraft account as soon as server is certain that our public key is legitimate it communicates some data about your account to other players who are at the time on the server it sends game profile info this is a couple of basic things such as your name Your user id and it sends the public key and the signature that it received from the client and again important part to notice here is that the profile info it kind of comes separate from this public key and signature because again the signature has nothing to do with the Profile info so other clients kind of just have to trust the server that the public key it sends to them with the signature were actually issued for this game profile not for some other game profile once they receive that datum each one of the clients will try to Verify this key with the signature and with merchant’s public key that’s a grab from their own distribution of authentication library now let’s examine what actually happens once all of that is done and you try to send a message into the chat so suppose you enter some Text and press enter as soon as you’ve done that the client will try to collect some data obviously this is going to be the text that you entered but there are going to be a couple other things one of them is going to be sold which is basically just randomly generated pretty Long number i will explain a bit later why this is important and what role this accomplishes it’s also going to be your user id unique id associated with your minecraft account and this is going to be the timestamp the exact time on your computer when you have sent this message It grabs all this all this data it grabs private key which again it received when starting up and it uses that to generate a signature against all this message data and it sends the message data and the signature to the server what the server does upon receiving all That is it grabs again stored public key that you have sent to it in a previous step and it uses that to verify the signature to be certain that you are the owner of legitimate private key that was actually used by you to sign this message and that the data the server Receives is the same data that you tried to send to it then the server after it has done its verification it also grabs some other data about you which is again your user id and the name of your account and notice that we send user id to the server in message data however Here it isn’t separate for no reason because the server will actually try to fetch the user id that it has stored for your account separate all right so it’s gonna ship in for and message data separately and those can include different user ids so it grabs under info it grabs your Message data and the signature and relays it to all other clients that are connected to the server at the time including your own client because when you type the message into the chat your client does not immediately display that message it only sends packet to the server with that message and then it Waits for the server to return a packet that will verify that the message was actually added to the chat because you remember there are plugins for instance that allow to mute players to prevent them from sending message into the chat and obviously when you are muted with This kind of plugin you don’t see your own messages being added into the chat you know you just see the error response from the server so the server can actually refuse to add your message to the chat and you will see that likewise you can actually alter your message when Adding that to the chat commonly where this is used is again this used with plugins that allow you to have color formatting in your nickname or allow you to have colored text in your messages so the server can add all that before it returns the message to all the clients So it grabs all the data it sends it back to yourself and sends it to other clients as well you obviously don’t need to verify your own signatures but you’re actually gonna do that it’s just not crucial here but other clients for other clients it’s going to be important to Verify this signature so they grab stored public keys that again they have received in this step and they verify the signature that they get along with the message datum if the signature matches they proceed to display the message in the chat screen now what if the secure doesn’t match or What if actually there is no signature nothing will happen by default the message is still going to be displayed in the chat however if you have show only secure chat option enabled in the game settings the message will not actually be added to the chat And in both cases there’s going to be a warning added to the games log that indicates that you have received unsigned message or message with invalid signature now you basically know how this works now what salt does why this was there what the salt accomplishes in This system is that it allows to protect against double sending attacks because once you send this message data and the signature to the server typically it will relay this message to everyone just once but since all the data and signature are valid it can try to send This message multiple times to make it appear as if you have actually sent your message not once but more than one time so the salt kind of adds a layer of protection against that because you can be pretty sure that the salt is going to be random every time so if clients Receives a message that has exactly the same content and was sent at the exactly the same time but it has different sold they can be sure that this message was actually sent by you both or you know however many messages they received they were all sent by you because souls are Going to be different this means that you have actually generated those messages independently however if the salt is going to be the same they will have a reason to suspect that this message was actually sent by you only once and it’s the server playing tricks on them As you can imagine the show only secured chat option in siri kind of allows us to be certain that the messages we receive on the client are actually messages sent from other clients so that the server the middleman in all this doesn’t tamper with the contents of the message but Let’s examine some glaring holes that exist in this system when we try to use it like this let’s go to the previous chart and here again remember the step when we sent to the server our public key and signature and remember that i told you that the public key even though It was issued to legitimate minecraft account and that the server and other clients can verify this fact because it is signed with module’s private key they have no idea what account this was actually issued to so if you have multiple minecraft accounts you can grab the key for one account and send it Using other accounts and this will still be valid this will still pass all the checks all the checks on server on client everyone will think that the key is legitimate and actually associated with your account while it isn’t so that’s one way to exploit the system Right so everything will work as if you have valid signatures but those signatures aren’t actually yours they aren’t generated using your key and likewise remember this step where server relays game profile info and public key and signature again those public key and signature do not have to be associated With game profile info so the server can use any game profile info combined with any legitimate signature and sets in combination to all receiving clients now this game profile info doesn’t actually have to even exist because the only thing that clients can actually check is the key because again the signature was Issued for that key and only that all right it doesn’t include any other data about the account this way server can just make accounts up imagine for instance that the server isn’t actually as trustworthy as we would expect from it what it does is it takes public key and signature from some other Account one very specific account for instance it’s going to be the server admins account and for every game profile info that it sends it’s going to send a public key and signature from that one specific account this way when someone tries to send the message with the signature the server it receives a Message but it will not try to verify the signature it will just drop it entirely and what it will do is it will generate its own signature using the private and public key from completely different account it’s going to attach that signature to the data and again along with the center Info relates this to other clients and when other clients verify the signature they’re going to be convinced that everything is valid that this message has to be legitimate and it’s going to display in the client’s chat screen regardless of whether they have only show secure chat option enabled and this Is a problem because this way you can modify content of the messages on the server side you can write anything within this message data because you can then regenerate the signature the server doesn’t even have to receive any message data you can just make it up and sign it On its own and send to other clients another way this can be circumvented is even less technical because in minecraft we do have different message types there’s a distinction between player sent messages and for instance server messages that are sent by the server and commonly this is used for notification Links that the server is going to reload and the server can actually once it receives the message data from the user not release this as a player message it can release us as a server message and attach whatever nickname it wants in the front of it so you can just convert the Message data from player message to server message and not even attach any signature at all not attach any sender in photo just relay that alone to other clients and they won’t even try to verify the signature because signature verification is something that’s only done for player messages they’re going To proceed to display this in chat screen anyways the end result of this is that the end user is convinced that the message they receive from server are legitimately from the user that it says it’s from even though it’s actually not that way at all So what’s the point then right if it can be circumvented in blatant and obvious way why it even exists in the first place what was the point well let me tell you my friends let me tell you what was the point because this system was never actually designed to Help us verify messages no no no no no this system was designed to incriminate us it was designed to be used by margin and by merging a wall that button you see in chat settings that option that’s just an afterthought that’s just someone who has looked at The system and said well you know guys this looks really suspicious we have to make it appear as if this exists for some other purpose beyond just tracking player messages and now that we talk about tracking player messages let me explain to you how all this will actually work with chat reporting just In case some of you have still not seen it let’s take a look at how this reporting system works in the game and then we’ll take a look at what kind of data gets sent to margin when we try to generate a report here in the social interaction screen You now have a button right next to the player name that allows you to report them in the report screen itself there’s a couple of things that you’ll have to do you’ll have to compose a description of what happened what you suppose the player have done wrong You will also have to select a category of your report of which there are quite a few to choose from i’m going to show you every single one of them so that you can read the description and understand what they are about beyond that there will only be one step Left to actually select the messages that you want to report you can select up to 10 obviously they have to be from the player that you are trying to report going back to our categories you can see that there’s some pretty extreme stuff in here like child sexual exploitation Or abuse or terrorism or violent extremism that’s the part where nobody probably has any questions because this stuff is illegal right there’s no kind of minecraft server where this should be acceptable however we do also have things that are completely legal and completely fine on certain servers things like profanity or hate speech Really how much sense does this make in the context of anarchy servers like the famous to b2t for example also for reasons that i’ll dive into a bit later this will not actually affect to be the team or most big multiplayer servers for that matter So i wrote a bit of code that allows me to intercept the data set gets sent to modging when you press send report and here what we get is a json file here you have a type of report this is always going to be chat at least for now i Guess they are considering the opportunity to make reports not for just chat messages but for other activities in the game god forbid this is a description that you have entered this is the reason you have chosen and the most interesting part here the evidence so the evidence isn’t Going to include just the messages that you have selected for reporting for every message that you have selected it’s going to include four messages that were sent before that and two messages that were sent after that and for every message that’s in here you also have a message reported flag that actually Tells them whether or not you have selected this message for reporting obviously this is going to give them some context and for every message you have the set of data that we have discussed when we were looking at our flowcharts we have the profile id the unique id that is Associated with the account that supposedly have sent this message the timestamp is sold which is as you can see here completely random number for every message the signature which is going to be the most important part you know which along with all this data is going to help them determine that the Message is legitimate that was actually sent from the account with this user id here we also have the content of the message and again the flag that i just mentioned and we have a whole bunch of those messages going on beyond the evidence we also have the reported entities so the Player who we have been trying to report we have the time of creation we have some client info right now this is just version and third party server info so what server this actually happened on in current snapshot in 22w24a you don’t necessarily have to select only signed Messages for reporting you can also select unsigned messages in which case your report is going to look something like this you have the salt which is zero and you don’t actually even have the signature that we observed in here but you know it kind of defeats the whole point because without the Signature those messages can be just completely made up by whoever tries to create a report so it’s kind of weird that you can even select unsigned messages for reporting in the first place i think they will account for this later in further snapshot or in the actual release when We consider all this this entire system with keys all of a sudden everything just falls in place and the system seems to work exactly as intended because when someone sends a report to majing with the player messages they are going to take the message data that they receive From the server they are going to take the signature the sender info they are going to package all that into the report and send that and what’s important here is that majing you know unlike us as players we can only receive private and public keys for our own Accounts you cannot receive those keys for any other account only for your own the one that you have access to but watching they can receive keys for any account so when they receive the report with this data what they will try to do to validate the signature is they are Just going to directly grab the public keys that is associated with that account the public key nor your private key is not actually even sent to them because they can just grab this from their database directly and when they will try to validate the signature using the key that was specifically associated With your account that they know is associated with your account then if the signature is valid they can have 100 proof that the message was sent from your account however if the signature was generated using some other accounts keys they won’t actually know what account it will be but when they try to Validate the signature using your public key it will not be validated so for them there isn’t really a big problem in the system because people who receive reports cannot actually be tricked into thinking that messages are legit when they aren’t however because we cannot grab the keys directly we cannot be Certain about anything from this very step when the client sends public key and signature we have to trust that client that it sends legitimate public keys and signatures likewise we have to trust the server cited relays legitimate key and signature watching don’t have to trust anybody And now let’s talk about what i have to think about all this as a minecraft player and a mod developer who has been making mods for 3 years or so i think that this is incredibly concerning the thing that i don’t like the most in this system is the tracking capacity That it creates because just by having this signature system in place microsoft can already connect messages that you send in chat with your minecraft and by extension microsoft account since as we know those are the same thing now and if you have your billing data linked to that account now they can even Establish a connection between messages in the chat and a real person that they know the name of and where they live i do not know about you but i personally really don’t think that i’m comfortable with this idea especially if we consider that it’s not like i expressed my consent somewhere Along the way when i bought this game none of this was in place yet but now it’s implemented after the fact and it’s a bit late to get a refund is it not it’s a good saying that for now the only way they can get their hands on this Data is player chat reports but remember chat reports already include data beyond what you are actually trying to report and now that i think about it maybe they have a reason to actually let you report unsigned messages not because if you review those reports or take any action on them no they won’t Even be routed to moderation team instead they will right away be added to the giant stockpile of potentially useful user data from here we’re just one step away from not even giving the user their private key but making it so that they have to send every message to merging services And those services will be responsible for generating the signature and if you refuse to add much and know entire history of messages you will ever be sending they just won’t let you use the chat at all you know for something that’s supposed to increase my security and safety this System makes me feel quite unsafe even more so when i consider that i quote muching and this one this is the first step in a process this unfortunately means that they already have an approved triple stamped internal roadmap or implementing even more ways to track and constrain players In their game and they are not going to easily back away on those quote unquote features and even if we do not consider this whole affair with tracking the sole fact that majing tried to insert themselves into moderation of servers that they do not own is to me equally ridiculous and outrageous Third-party servers are not associated with margin in any way they do not run on hardware that maging owns and they are not controlled by people who have anything to do with the company it’s none of the majing’s business to interfere with community that have managed itself for the longest time it Must remain up to the owners of individual servers to establish whatever rules they want on their server and to enforce them in whatever way they see fit that’s what it means to be the owner of the server after all if i want swearing on my server i will have it Now there are some concerns around the internet that chat reporting is going to be incredibly destructive for large multiplayer servers such as hypixel or b2t but those are actually not going to be affected the reason is because they typically stick around on 1.12 version of minecraft mostly because of performance concerns As we all know server performance have been steadily degrading over the span of latest minecraft releases even though the game received some improvements in rendering if we talk about pvp servers those generally hang even lower typically it’s 1.9 because combat update forever killed pvp or a lot of players However chat reporting will be another saying going into the pile of reasons why those servers will never update but you know what let’s not make it just about my own opinion i dare welcome you to take a look at xsuma boyd’s video on 22w 22w24a specifically at the comments and i Remind you this video is about an entire snapshot not only about chat reporting that was introduced as part of it so if i’m not alone in my opinion we would probably expect to see one or maybe two concerned comments regarding this feature so let’s see if we can find them oh We didn’t have the search very long did we literally every single comment here is about player chat reporting and how bad of an idea that is honestly it pleases me to know that i’m not alone in my opinion i didn’t decide to talk to you in this Format because i really wanted it i decided to do that because to stay silent is just not an option any longer so i hope you learned something from this video and enjoyed how i butchered the pronunciation of certain words there’s another couple of things that i Really wanted to talk about like the mod that i make that’s going to disable chat reports server side if anything that’s called no chat reports or the telemetry that was reintroduced into minecraft in 1.18 which is another feature that i’m incredibly concerned with especially because until lately i Didn’t even know that is the same but this is already getting very long so i’ll save that for another video which i may or may not make depending on how this one is received also feel free to comment your own opinion on things that i cover here or Ask any questions i will try to answer every single one stay safe and i hope we shall meet once more Video Information
This video, titled ‘How Minecraft’s Player Chat Reporting works (…and why I hate it)’, was uploaded by Aizistral on 2022-06-23 19:31:27. It has garnered 31724 views and 1648 likes. The duration of the video is 00:29:44 or 1784 seconds.
I have spent considerable amout of time investigating how Minecraft’s message signatures, “Only Show Secure Chat” and player chat reporting work on technical level, and decided that I have no reason to not share this knowledge with the world. Besides – here I express my opinion on those features.
Timestamps: 00:00 Intro 01:38 Private Keys, Public Keys and Signatures 03:08 Message Signatures 16:39 Player Chat Reports 23:04 Opinion 28:44 Epilogue
Article on cryptographic signatures: https://en.wikipedia.org/wiki/Digital_signature
Flowcharts that I used: https://whimsical.com/mojank-message-verification-Mfzn52j2syPe67jHEURHE4@2Ux7TurymN8s8vcmh7pJ
Intercepted reports: https://gist.github.com/Aizistral/0486f9e28b14d01807d63dcad5536720
Music: Kevin MacLeod – Sneaky Snitch Kevin MacLeod – Scheming Weasel Some pieces from this glorious playlist: https://www.youtube.com/watch?v=fcSk_DZFjf4