Differences between revisions 1 and 36 (spanning 35 versions)
Revision 1 as of 2018-12-20 13:08:55
Size: 1345
Editor: Morticon
Comment:
Revision 36 as of 2021-06-25 19:25:30
Size: 11508
Editor: Jaxen
Comment: Added instructions for SSLDroid
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
SpinDizzy will be moving to 100% SSL connections sometime in 2019. This means clients which do not support SSL will either need to be upgraded or a new client used. The web client always uses SSL. <<TableOfContents()>>
Line 3: Line 3:
For Windows, the best option is [[http://www.beipmu.com|BeipMU]]. This client is updated very frequently and the developers are extremely responsive. If you have windows 10, it is also available in the Windows Store for free. If you feel you are unable to switch to this wonderful client for whatever reason, you can use the Websocket gateway program Morticon wrote. Information is available in +read. Even if you switch to BeipMU, you may still find the gateway program useful because it can handle bad/flaky connections. The encrypted port is at muck.spindizzy.org, port 7073.
Line 5: Line 5:
For Linux, the best option is running BeipMU in WINE, or to download and manually compile the latest [[http://tinyfugue.sourceforge.net/|TinyFugue]]. It may also exist in package format for your distribution. The [[https://muck.spindizzy.org|web based client]] (always encrypted) is available, as is an [[https://muck.spindizzy.org/spindizzy-jsclient/client.html|advanced variant]].
Line 7: Line 7:
MacOS users can try [[http://www.riverdark.net/atlantis/|Atlantis]], though it does not appear to be updated or supported any longer. = Introduction =
SpinDizzy will be moving to 100% SSL connections on 03/15/19. This means clients which do not support SSL will need to be upgraded, connected using an encryption gateway, or switched to a newer client. The web client always uses SSL.
Line 9: Line 10:
Phone users currently have no known clients which directly support SSL. They can either use the web client or a proxy/tunneling program that will tunnel the connection. The upgrade is being done because using unencrypted connections means anyone - telecom companies, coffee shops, airports, school, your neighbor, etc - can eavesdrop on what you do or say on SpinDizzy. Essentially, when you are not using an unencrypted connection, everything you type could in theory be seen by anyone. While some people claim not to be bothered by this, most would rather communications remain private. As SpinDizzy has always been on the forefront of privacy and security, this is the next logical step. We've had an SSL port long before most MUCKs supported it.
Line 11: Line 12:
TODO: Add information about proxies and tunnels for phones and other operating systems. A lot of thought went into making this decision. It was not going to move forward unless viable workarounds were provided for essentially everyone on the MUCK. With that said, the sections below detail workarounds for your specific platform(s), if your current clients do not support encryption.

== Windows ==
For Windows, the best option is [[http://www.beipmu.com|BeipMU]]. This client is updated very frequently and the developers are extremely responsive. If you have windows 10, it is also available in the Windows Store for free. Just connect to port 7073 and indicate it is encrypted, and you're set.

[[https://sourceforge.net/projects/trebuchet/|Trebuchet Tk]] also supports SSL if you install the tcltls package. You may need to use the [[https://www.activestate.com/products/activetcl/downloads/|ActiveState TCL/TK Free Version]] interpreter and then use its Teapot package manager to install TLS. Other TCL/TK distributions may or may not have TLS support.

If you feel you are unable to switch to BeipMU or turn on Trebuchet encryption, you can use the[[https://muck.spindizzy.org/spindizzy_gateway.zip|Websocket gateway program]] Morticon wrote. It basically works like this:

 * Download the ZIP file and extract in C:\spindizzy or similar.
 * Run spindizzy.bat. The command window must remain up the whole time you are on SpinDizzy. It is safe to minimize the window.
 * Connect your existing muck client to 127.0.0.1 port 7072.
 * Done!

Even if you switch to BeipMU, you may still find the gateway program useful because it can handle bad/flaky connections.

If you really don't want to use the gateway program, you can try https://www.stunnel.org/ or https://nmap.org/ (for the ncat tool which comes with nmap). With either, the configuration works like this:

 * When installing nmap, you should tell it not to install npcap, a packet sniffer. It's unnecessary and in theory could be a security risk. Stunnel does not have this issue.
 * Nikon created a [[attachment:MushClient-SSL-Windows-Howto.pdf|step-by-step guide]] to getting Stunnel working on Windows with SpinDizzy. The screenshots show [[https://mushclient.com/mushclient/mushclient.htm|MushClient]] but any other client on Windows will work too.
 * The remote host to connect to is muck.spindizzy.org, port 7073 SSL.
 * The local port should be 7072.
 * Your MUCK client should connect to 127.0.0.1 port 7072.

For ncat in particular, this command should work:

 * ncat -k -l localhost 7072 --sh-exec "ncat --ssl muck.spindizzy.org 7073"

== Linux ==
Linux has multiple good options:

 * Run [[http://www.beipmu.com|BeipMU]] in [[https://www.winehq.org/|WINE]]
 * Download and manually compile the latest [[http://tinyfugue.sourceforge.net/|TinyFugue]]. It may also exist in package format for your distribution. Connect to port 7073 with -x to indicate encryption.
 * [[https://www.kildclient.org/site/|KildClient]] supports encryption.
 * [[https://sourceforge.net/projects/trebuchet/|Trebuchet Tk]] also supports SSL if you install the tcltls package. It should be available through your package manager, just like Tcl and Tk, which you need to run Trebuchet in the first place. On Mageia, the three packages are called `tcl`, `tk` and `tcltls`; in Debian, it's `tcl-tls` instead. So if you have Ubuntu or Mint, try `sudo apt-get install tcl tk tcl-tls` from the command line. Once you have it, look in the New World/Edit World dialog you can open from the File menu: on the third line, next to the port field, there's a checkbox labeled "encrypted port". Tick that and you should be good to go.
 * You can also use ncat or stunnel, as detailed in the Windows section. Use your package manager to download it.
 * If you connect to us via raw telnet, you can use the openssl to connect instead.
    * Type: openssl s_client -connect muck.spindizzy.org:7073


To set up a systemd service that will start a ncat-based SSL redirector when you log in with your user account. Copy the following into the file `~/.config/systemd/user/spindizzy.service`

{{{
# spindizzy.service
[Unit]
Description=Spindizzy SSL redirector

[Service]
ExecStart=/usr/bin/ncat -k -l 7072 -e '/usr/bin/ncat --ssl-verify muck.spindizzy.org 7073'
Restart=always

[Install]
WantedBy=basic.target
}}}

Now, enable the service by running the following commands in your shell:

{{{
systemctl --user enable spindizzy.service
systemctl --user start spindizzy.service
}}}

At this point, change your client's settings to point to `localhost` instead of `muck.spindizzy.org`, and new connections made to `localhost` will be sent on to the muck using SSL/TLS.

== MacOS ==
MacOS users can try [[http://www.riverdark.net/atlantis/|Atlantis]]. A new version is in the works, and a beta version [[http://riverdark.net/atlantis/downloads/Atlantis-0.9.9.6-rc4.zip|is available here]]. There is also [[https://www.reddit.com/r/MUD/comments/9yywnq/64bit_mu_clients_for_mac/|a discussion on version 2.0]] (PacketDancer is the program author).


If your current client does NOT currently support encryption (such as [[https://www.heynow.com/savitar/|Savitar]]), you are strongly encouraged to email the developers and nicely ask for the support to get added.

UPDATE: Savitar has a [[https://www.heynow.com/forums/index.php?/topic/3-ideas-for-savitar-20/|thread going for version 2.0 improvements]]. If you use this client, please comment on it to reinforce that SSL is an important feature.

You may also be able to run [[http://www.beipmu.com|BeipMU]] under [[https://www.winehq.org/|WINE]].

If you're comfortable with the commandline, you can download and manually compile the latest [[http://tinyfugue.sourceforge.net/|TinyFugue]] similar to the Linux instructions. You will have to enable SSL support.

MacOS users may be able to use [[https://brew.sh/|Homebrew]] to install nmap (for ncat) or stunnel and then follow the Windows directions for those tools above.

== Android ==
Android users currently have no known clients in the Play store which directly support SSL. Users are HIGHLY ENCOURAGED to email program authors to add the support (try emailing dan@happygoatstudios.com if you use Blowtorch and want SSL). In the meantime, users can either use the web client or a proxy/tunneling program that will tunnel the connection from the existing client.

Android users can also try installing [[https://tintin.sourceforge.io/|TinTin++]] under [[https://termux.com/|Termux]]. (Use the `#ssl` command instead of `#session`.)

Some proxy/tunneling apps to allow using your existing client include (use at your own risk):

 * [[https://play.google.com/store/apps/details?id=eu.smallapps.tunnel|TLS/SSL Tunnel]] (known to work with SD)
  * Open the app
  * Create a new tunnel, call it SpinDizzy
  * Connect to muck.spindizzy.org:7073
  * Local port 7072
  * Don't touch the Root-Certificate field
  * Make sure the first two checkboxes below are checked.
  * You can try checking the third checkbox for extra security, but if it doesn't work then uncheck it.
  * Hit save, then connect.
  * In your MUCK client (Mukluk, Blowtorch, etc) edit your SpinDizzy world. Set the host to 127.0.0.1 and the port to 7072.
  * Connect your MUCK client. It should now work.
  * Please note that if you move your phone across cells or different wifi networks, you may lose your connection. If this happens, close the connection in TLS/SSL Tunnel, and close then reopen the app. Reconnect to the SpinDizzy tunnel and then reconnect in your MUCK client.

 * [[https://play.google.com/store/apps/details?id=hu.blint.ssldroid|SSLDroid]] (known to work with SD)
  * Open the app
  * Tap the menu in upper right corner, then select "Add Tunnel"
  * Enter the following:
  * Tunnel name: SpinDizzy (Note: You can pick any name you wish.)
  * Local port: 7072
  * Remote host: muck.spindizzy.org
  * Remote port: 7073
  * PKCS12 file: (Leave blank)
  * PKCS12 pass: (Leave blank)
  * Then tap "Apply".
  * In the upper right menu, tap "Start Service".
  * In your MUCK client (Mukluk, Blowtorch, etc) edit your SpinDizzy world. Set the host to "localhost" and the port to "7072".
  * You should now be able to connect to SpinDizzy in the client.
  * SSLDroid will automatically restart until it's told to stop running. If you wish for it to stop, open the app, tap the upper right menu, select "Stop until explicit start", then close the app.
  * If SSLDroid isn't running, open the app, tap the upper right menu, then "Start Service".
  * Please note if you switch between Wifi and cell data or different Wifi networks, the MUCK connection will be lost. Reconnect in the MUCK Client; SSLDroid will reset automatically.

 * You can install nmap in [[https://termux.com/|Termux]] and use the ncat directions under the Windows section.
 * These will work similar to the Windows stunnel/ncat setup.

If none of these options appeal and you are comfortable installing apps outside of the play store, an older MUCK client that supports encryption can be found at http://downloadapk.net/down_MuClient.html . Please note this app is essentially unsupported and may stop working at any time. IMPORTANT NOTE: Do NOT use the version found on the Amazon App Store. It is full of ads and was hijacked by someone.

== iPhone / iPad ==
The [[https://itunes.apple.com/us/app/mudrammer-a-modern-mud-client/id597157072|MUDRammer]] client supports SSL.

== Other Platforms ==
The [[https://telebit.cloud/sclient/|sclient utility]] supplies standalone binaries for a variety of systems including Windows, Linux, and MacOS. It can be used on especially old computers where modern programs can't be installed. After downloading the appropriate binary, it should be run in terminal, prompt, or script with a very simple syntax:
{{{
./sclient -k spindizzy.org:7073 localhost:8888
}}}
After which you should be able to connect to localhost on port 8888.

If you use other platforms (Amiga, C64, Apple II, VT terminal, teletype, etc) to access SpinDizzy and encryption is not natively supported, your best bet is to run stunnel or ncat on a supported system such as Linux, and have your older platform connect to SpinDizzy via the local end of the SSL tunnel instead. Follow the instructions in the Windows section for hints.

The encrypted port is at muck.spindizzy.org, port 7073.

The web based client (always encrypted) is available, as is an advanced variant.

Introduction

SpinDizzy will be moving to 100% SSL connections on 03/15/19. This means clients which do not support SSL will need to be upgraded, connected using an encryption gateway, or switched to a newer client. The web client always uses SSL.

The upgrade is being done because using unencrypted connections means anyone - telecom companies, coffee shops, airports, school, your neighbor, etc - can eavesdrop on what you do or say on SpinDizzy. Essentially, when you are not using an unencrypted connection, everything you type could in theory be seen by anyone. While some people claim not to be bothered by this, most would rather communications remain private. As SpinDizzy has always been on the forefront of privacy and security, this is the next logical step. We've had an SSL port long before most MUCKs supported it.

A lot of thought went into making this decision. It was not going to move forward unless viable workarounds were provided for essentially everyone on the MUCK. With that said, the sections below detail workarounds for your specific platform(s), if your current clients do not support encryption.

Windows

For Windows, the best option is BeipMU. This client is updated very frequently and the developers are extremely responsive. If you have windows 10, it is also available in the Windows Store for free. Just connect to port 7073 and indicate it is encrypted, and you're set.

Trebuchet Tk also supports SSL if you install the tcltls package. You may need to use the ActiveState TCL/TK Free Version interpreter and then use its Teapot package manager to install TLS. Other TCL/TK distributions may or may not have TLS support.

If you feel you are unable to switch to BeipMU or turn on Trebuchet encryption, you can use theWebsocket gateway program Morticon wrote. It basically works like this:

  • Download the ZIP file and extract in C:\spindizzy or similar.
  • Run spindizzy.bat. The command window must remain up the whole time you are on SpinDizzy. It is safe to minimize the window.

  • Connect your existing muck client to 127.0.0.1 port 7072.
  • Done!

Even if you switch to BeipMU, you may still find the gateway program useful because it can handle bad/flaky connections.

If you really don't want to use the gateway program, you can try https://www.stunnel.org/ or https://nmap.org/ (for the ncat tool which comes with nmap). With either, the configuration works like this:

  • When installing nmap, you should tell it not to install npcap, a packet sniffer. It's unnecessary and in theory could be a security risk. Stunnel does not have this issue.
  • Nikon created a step-by-step guide to getting Stunnel working on Windows with SpinDizzy. The screenshots show MushClient but any other client on Windows will work too.

  • The remote host to connect to is muck.spindizzy.org, port 7073 SSL.
  • The local port should be 7072.
  • Your MUCK client should connect to 127.0.0.1 port 7072.

For ncat in particular, this command should work:

  • ncat -k -l localhost 7072 --sh-exec "ncat --ssl muck.spindizzy.org 7073"

Linux

Linux has multiple good options:

  • Run BeipMU in WINE

  • Download and manually compile the latest TinyFugue. It may also exist in package format for your distribution. Connect to port 7073 with -x to indicate encryption.

  • KildClient supports encryption.

  • Trebuchet Tk also supports SSL if you install the tcltls package. It should be available through your package manager, just like Tcl and Tk, which you need to run Trebuchet in the first place. On Mageia, the three packages are called tcl, tk and tcltls; in Debian, it's tcl-tls instead. So if you have Ubuntu or Mint, try sudo apt-get install tcl tk tcl-tls from the command line. Once you have it, look in the New World/Edit World dialog you can open from the File menu: on the third line, next to the port field, there's a checkbox labeled "encrypted port". Tick that and you should be good to go.

  • You can also use ncat or stunnel, as detailed in the Windows section. Use your package manager to download it.
  • If you connect to us via raw telnet, you can use the openssl to connect instead.
    • Type: openssl s_client -connect muck.spindizzy.org:7073

To set up a systemd service that will start a ncat-based SSL redirector when you log in with your user account. Copy the following into the file ~/.config/systemd/user/spindizzy.service

# spindizzy.service
[Unit]
Description=Spindizzy SSL redirector

[Service]
ExecStart=/usr/bin/ncat -k -l 7072 -e '/usr/bin/ncat --ssl-verify muck.spindizzy.org 7073'
Restart=always

[Install]
WantedBy=basic.target

Now, enable the service by running the following commands in your shell:

systemctl --user enable spindizzy.service
systemctl --user start spindizzy.service

At this point, change your client's settings to point to localhost instead of muck.spindizzy.org, and new connections made to localhost will be sent on to the muck using SSL/TLS.

MacOS

MacOS users can try Atlantis. A new version is in the works, and a beta version is available here. There is also a discussion on version 2.0 (PacketDancer is the program author).

If your current client does NOT currently support encryption (such as Savitar), you are strongly encouraged to email the developers and nicely ask for the support to get added.

UPDATE: Savitar has a thread going for version 2.0 improvements. If you use this client, please comment on it to reinforce that SSL is an important feature.

You may also be able to run BeipMU under WINE.

If you're comfortable with the commandline, you can download and manually compile the latest TinyFugue similar to the Linux instructions. You will have to enable SSL support.

MacOS users may be able to use Homebrew to install nmap (for ncat) or stunnel and then follow the Windows directions for those tools above.

Android

Android users currently have no known clients in the Play store which directly support SSL. Users are HIGHLY ENCOURAGED to email program authors to add the support (try emailing dan@happygoatstudios.com if you use Blowtorch and want SSL). In the meantime, users can either use the web client or a proxy/tunneling program that will tunnel the connection from the existing client.

Android users can also try installing TinTin++ under Termux. (Use the #ssl command instead of #session.)

Some proxy/tunneling apps to allow using your existing client include (use at your own risk):

  • TLS/SSL Tunnel (known to work with SD)

    • Open the app
    • Create a new tunnel, call it SpinDizzy

    • Connect to muck.spindizzy.org:7073
    • Local port 7072
    • Don't touch the Root-Certificate field
    • Make sure the first two checkboxes below are checked.
    • You can try checking the third checkbox for extra security, but if it doesn't work then uncheck it.
    • Hit save, then connect.
    • In your MUCK client (Mukluk, Blowtorch, etc) edit your SpinDizzy world. Set the host to 127.0.0.1 and the port to 7072.

    • Connect your MUCK client. It should now work.
    • Please note that if you move your phone across cells or different wifi networks, you may lose your connection. If this happens, close the connection in TLS/SSL Tunnel, and close then reopen the app. Reconnect to the SpinDizzy tunnel and then reconnect in your MUCK client.

  • SSLDroid (known to work with SD)

    • Open the app
    • Tap the menu in upper right corner, then select "Add Tunnel"
    • Enter the following:
    • Tunnel name: SpinDizzy (Note: You can pick any name you wish.)

    • Local port: 7072
    • Remote host: muck.spindizzy.org
    • Remote port: 7073
    • PKCS12 file: (Leave blank)
    • PKCS12 pass: (Leave blank)
    • Then tap "Apply".
    • In the upper right menu, tap "Start Service".
    • In your MUCK client (Mukluk, Blowtorch, etc) edit your SpinDizzy world. Set the host to "localhost" and the port to "7072".

    • You should now be able to connect to SpinDizzy in the client.

    • SSLDroid will automatically restart until it's told to stop running. If you wish for it to stop, open the app, tap the upper right menu, select "Stop until explicit start", then close the app.
    • If SSLDroid isn't running, open the app, tap the upper right menu, then "Start Service".
    • Please note if you switch between Wifi and cell data or different Wifi networks, the MUCK connection will be lost. Reconnect in the MUCK Client; SSLDroid will reset automatically.
  • You can install nmap in Termux and use the ncat directions under the Windows section.

  • These will work similar to the Windows stunnel/ncat setup.

If none of these options appeal and you are comfortable installing apps outside of the play store, an older MUCK client that supports encryption can be found at http://downloadapk.net/down_MuClient.html . Please note this app is essentially unsupported and may stop working at any time. IMPORTANT NOTE: Do NOT use the version found on the Amazon App Store. It is full of ads and was hijacked by someone.

iPhone / iPad

The MUDRammer client supports SSL.

Other Platforms

The sclient utility supplies standalone binaries for a variety of systems including Windows, Linux, and MacOS. It can be used on especially old computers where modern programs can't be installed. After downloading the appropriate binary, it should be run in terminal, prompt, or script with a very simple syntax:

./sclient -k spindizzy.org:7073 localhost:8888

After which you should be able to connect to localhost on port 8888.

If you use other platforms (Amiga, C64, Apple II, VT terminal, teletype, etc) to access SpinDizzy and encryption is not natively supported, your best bet is to run stunnel or ncat on a supported system such as Linux, and have your older platform connect to SpinDizzy via the local end of the SSL tunnel instead. Follow the instructions in the Windows section for hints.

SSL_Help (last edited 2021-06-25 19:25:30 by Jaxen)