We’ve talked a lot about our fast game streaming technology; however, today we wanted to talk about something even more critical. Security.

We employ a plethora of techniques to help ensure you can always securely connect to your system both inside and outside your home. One of the rules we apply is only serving our content on what is known as “secure origins” or HTTPS. You’ll find that no page on Rainway makes calls to non-secure origins.

What that means is your traffic right from the start of loading is entirely encrypted so no third parties can see what you are doing. This, however, does present a challenge. You see, Rainway is a self-hosted application meaning that the “server” portion lives on a users computer. This is more or less fine when we attempt a P2P connection over WebRTC because when successful, it utilizes Datagram Transport Layer Security (DTLS), Secure Real-time Transport Protocol (or SRTP), and Advanced Encryption Standard (AES). However when it fails, we fall back to WebSockets.

Browsers enforce that a page loaded from HTTPS must have any WebSocket connections be to a WSS (WebSocket Secure) endpoint and this requires a valid SSL certificate. The solution seems straightforward enough, purchase a certificate and use that on all user’s servers, right? The issue is that would require shipping the private key to all users, thus making all encryption pointless and leading to the certificate being revoked and we also cannot ask users to register their domain and buy a certificate to play their games.

I love the smell of uncatchable errors in the morning

Enter Lochcert, a PKI (public key infrastructure) we built on top of Let’s Encrypt so that we can provide unique SSL certificates to all of our users in real-time. First, we sync a user’s known IP’s to our routing service cya.gg, which currently managing 100,000 different addresses. Once we’ve validated a connection can be made, we generate a cryptographically secure token to be used as their DNS hostname (jq9k7qs64d29zawm.cya.gg) and bind the relevant A and AAAA records to it.

We then submit a request to Lochcert which validates the newly created DNS entries and within a few seconds should have a valid and unique SSL certificate. The Rainway instance then pulls down the certificate and password protects it before storing it in the machines local store.

Secure game streaming in the browser.

Now we are doing wide-scale automated SSL/TLS certificate deployment with zero friction, and the result is an effortless, state-of-the-art secure deployment of SSL/TLS by default for tens of thousands of users. We are working to further improve things by implementing dynamic DNS to avoid propagation and wildcard certificates to support multiple machines under a single user.

It is hard to believe in 2018 there are services providing game streaming that do not encrypt your traffic, so we set the bar higher for ourselves and you.