Member Comments
No comments so far
On July 26th, PokerTableRatings.com unearthed a major security encryption flaw at the USA-friendly Cake Poker Network. The issue was very similar to the one that plagued the CEREUS Network, as a custom-built XOR encryption left players’ hole cards and account information open to theft.
Upon learning of the possible risk for exposure by players hitting the virtual felts through a wireless network, PokerTableRatings.com urged Cake Poker faithful to cease placating the network until SSL encryption was present: “The only guarantee of safety is to change your password and stop playing on the Cake Network until these issues have been fully resolved and verified by us. Until Cake has switched to OpenSSL, or the TwoFish encryption their webpage says they use, there is no way to be sure you are secured.”
PokerTableRatings.com officials outlined the relative risks of continuing to play with XOR security on the Cake Poker Network. The following levels of risk corresponded to various ways of connecting to the internet:
Public Unsecured Wireless: Severe
Public Secured Wireless: Moderate-High
Public Wired: Moderate
Home Unsecured Wireless: Moderate
Home Secured Wireless: Moderate-Low
Home Wired: Low
Purportedly, you – the very reader of this PokerSoftware.com article – could break XOR encryption by simply firing up your Windows calculator and switching over to the Scientific mode. There, you’ll find an XOR button. PokerTableRatings.com notified Cake Poker officials, who promised a swift response.
On August 4th, Cake Poker added SSL encryption to its old client. However, its new beta software had not yet received a security upgrade. PokerTableRatings.com, which began investigating the old client for leaks, affirmed, “PTR Security has reviewed the patch and we are happy to announce that this appears to be a correct implementation of SSL using the industry standard OpenSSL library.”
On August 5th, it appeared to be back to the drawing board for Cake. Purportedly plagued with stability problems while trying to implement SSL, Cake removed the new encryption from its software entirely, once again leaving players potentially vulnerable. Shortly thereafter, however, a final update to the old and beta clients was released and PokerTableRatings.com confirmed that it was once again safe to play on the Network.
Cake Poker Card Room Manager Lee Jones (pictured) told PokerSoftware.com on Friday that all Cake Poker Network skins – including DoylesRoom and the flagship site – were equipped with SSL. PokerTableRatings.com agreed, publishing, “We can verify that the data stream is SSL encrypted on both the standard software and the beta client. We have been unable to reproduce any of the vulnerabilities we detected previously.”
In May, the CEREUS Network, which includes UB.com and Absolute Poker, suffered from a similar vulnerability. Network programmers spent about 10 days developing SSL before instituting a fix. The CEREUS and Cake Poker Networks both accept players from the United States.
In a lively thread that appeared on TwoPlusTwo, posters called out the Cake Poker Network for potentially having superusers amid the security vulnerabilities. After all, hackers could, in theory, expose hole cards of those players logged into the network. Given that Cake allows users to change their names every seven days, one poster inquired, “How do we know there have not been any superusers (on your side) on Cake, considering that your software had this possibility and considering that you have taken away the players' possibilities to catch them ourselves?”
Jones stated that he Private Messaged TwoPlusTwo’s Mason Malmuth with an explanation of what happened. However, Malmuth fired back, posting, “You need to post and answer the questions now. Our posters are the ones you need to communicate with, not me.”
No comments so far