[IGDA_indies] Secure online high scores

[Tom Spilman]

    I've been recently thinking about how to secure the online high score
list for our puzzle game.  Since global rankings is one of the features you
get with the full paid for version of the game, i'm going to ensure i
deliver something that doesn't just piss off the customer.

    Our puzzle game is deterministic like any good piece of software.  So
i'm thinking of just sending the whole replay of the game to our server for
it to determine the score.  For our game the absolute worst case is sending
the seed, a near impossible 1000 moves ( that would be around an hour and a
half of gameplay without a loss ), plus a few more things like level time
remaining and stuff.  Uncompressed that would take less than 600 bytes to
send.  The server side can simulate the game quickly and post the player's
score.  To hack such a thing you would have to be able to play the same
seeded game over and over again to determine the right set of moves to
attain the score you want.  It becomes increasingly difficult as the score
gets higher.  It would be difficult enough that he probably deserves the
score if he does it.  At least much more difficult IMO than hacking one
packet/url/encryption scheme and sending it off.

    Are there any other techniques people have used?  Anything i should
avoid doing aside from spending too much time on this? =)

    Tom