Hi

We are making a mmo game for android and ios with unity. We have an asp.net server with c# code to manage users and game play. I research about encryption http in unity and found somethings like WWW in unity handles ssl and Server should have a valid ssl certificate BUT there are three question I need to know.

1- I don't understand it is all the things I need Or Somethings else must be added? And I can't realize how to exactly implement it on server and client.

2- what about url rewrite. Does SSL handle this one?

3- for server address it's better to use URL or a static IP?

1. Basically you would like to implement HTTPS (HTTP secure HTTP). For encryption between client and server, both need to perform a special SSL/TLS handshake, which includes (at least) a server side certificate. You need to create a self signed certificate (or used an actual one - not recommended for development due to costs). I will assume you use IIS as an application server to run your server code, lookup a tutorial for setting up SSL with IIS.

2. I'm not familiar with the technology, I can only guess that it can work since both URL rewrite and SSL management are integral part of IIS.

3. Generally, it is better to use a domain name (I assume you meant something like using https://www.test.mygame,com as opposed to https://123.123.123.123. That way you can change your IP at any time as the domain name will remain associated with any actual address you set. You need to set up a DNS record for your domain (there are numerous free DNS providers).

Personally from these questions, I think that you and your team are lacking a basic understanding of how internet and networking in general work and are set up which is one the most crucial parts of an MMO. If you intend to really invest into your game, I strongly suggest reading into (at least!) the wikipedia articles on:

- DNS

- SSL/TLS

- HTTP/HTTPS

- Your application server of choice (I assumed IIS).

The only difference between self-signed and purchased certificates is that the latter has a chain of trust established. This means that the clients can trust your server identity without asking the user, as a trusted party has signed your certificate and therefore it can be assumed that it hasn't been tampered with. The actual encryption algorithm(s) and cryptographic strength is exactly same whether you self-sign your certificate or purchase the signature for it.

SSL/TLS by itself does not do anything that would render it incompatible with URL rewriting. That said, you need to be careful about the protocol prefix and/or the port, if your system uses them somehow. HTTP default port is 80, while HTTPS is 443 (although almost all servers can be configured to listen to different ports regardless of the protocol). For example, if you hard-code some resource paths with the absolute URL, note the small but real difference between http://something/example.jpg and https://something/example.jpg :)

Domain name is used with verifying the certificate owner's identity, along with the signature trust. A SSL client is free to choose to ignore the protection that the domain name association gives (for example, common browsers will let you proceed even if there is no match), but this would also cause the effective security and manageability of the system to decrease.

For development, self-signed certs are ok because developers can of course trust a certificate they themselves created. But the chain of trust is very important when giving access to other people, so purchased signatures are the way to go when you publish.

thanks guys for nice explanation and busho I'll do your advice and read more about internet.

So if someone has experience in unity with ssl please help me to implement it on unity. Specially for certificate validation in unity because I think WWW class ONLY handle ssl but doesn't do any thing about certificate validation.