Worried about security, TeamSpeak has made a radical change in their authentication system (and accordingly their user database).
Recognizing that usernames and passwords carry the risk of brute-force access succeeding against very weak passwords, they took a drastic leap forward.
Gone are usernames and passwords. Well, kinda, but not in the good way that you want.
Like many modern authentication systems, TS3 generates a private “machine key” automatically the first time you fire it up. This special encryption key identifies the TS3 installation/user. It then manipulates that with some crypto-math to produce a second key called the public key.
When your TS3 client logs into a server, instead of supplying a username and password, it instead sends your public key, which is now doubling as your username. The information the server sends back to you will be readable only by combining it with the private key and some more special crypto-math.
To log in as yourself from another computer, you just need to copy the key pair. The best part is – no password required! If you lose the key pair – say you forget to back it up before reinstalling… Well then you’re screwed.
They have provided some mechanisms for integrating your existing user database into theirs. Note that wording carefully. By moving to TS3 you are going to add another user database to manage into your user account systems.
This is really a cracker :)
Forum users view:
After logging in you will see a link “Join our TeamSpeak 3 server” which will take you to a separate page telling you to download and install the TeamSpeak 3 client (if not already present) and then to “Click this link to connect”. When you click the link your TeamSpeak 3 client will start (if not already started) and then connect to the community TeamSpeak 3 server
Wrap your head around this…
To improve TeamSpeak 3 security, they have prevented your users from using a username/password combination and instead made you introduce a new user-identifier for the user. To obtain this, that user must log in to your forums with their username and password where you will expose their super-secret combined loginID and password to them in a URL to click on.
Once someone clicks that URL, they are validated as that user without any need to, say, authenticate by confirming their login with a password or something.
To be honest, he had me in stitches at “not vulnerable to man in the middle” attacks.
That sounds like the work of someone who doesn’t actually know what a man in the middle attack is =(
Since the server and client both have static key combinations, it is perfectly suited to Man In The Middle attacks :(
Worse still, forums are a honeypot for MitM attacks. So replacing an encrypted user/pass exchange for just a machine-based exchange … Ultra fail :(
The shame is, what TS2 had was good, it just wasn’t very secure. They were particularly concerned, it appears, about people creating noddy insecure passwords.
Surely a far better solution would have been to use the host-based PPK pairs for handshaking, and then used encrypted user/pass exchanges over that. That way it would have integrated easily with existing systems, and it would be at least as secure as – oh, I dunno – SSL, over which you would hope forum software would be exchanging this kind of information…
Heck – they could just have added a password-strength checker…
Killer had just bought a TS3 license before finding out that they have completely moved away from the old user/pass model and that integrating TS3 is going to be a whole bunch harder and more headache than TS2 was, for a net loss in security.
Their response to his threads: Responses of “you just don’t understand”, closed and deleted threads :) Oh the irony :)