Skip to main content

Browse GamesGame JamsUpload GameWinter Sale 2025Developer LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
tinspin169 days ago (7 edits)

If you had read my other comments here you would not be asking these questions. A badge that makes sure users feel safer and hackers have to use a real name card on itch and spend money and wait, to successfully spread malware. It does not hurt newcomers by blocking them, but newcomers have to buy into getting the badge; it makes old users more trustworthy as they should be.

Sandboxing is the solution if you think the browser is a solution, and it ain't looking good I tell ya. Java had sandboxing for 30 years nobody used it, outside of applets, except me; not even Minecraft modders. So I'm making my own JVM to fix that since Oracle foolishly removed the sandbox in the latest Java version... in the meantime we have to  embrace native (or close to native performance/featured VMs like Java/C#, js can't do efficient memory sharing between threads without copying f.ex.) because of power usage: Linux on ARM is the only viable platform long term and until we get a better sandbox than V8 (even with WASM) that will not work.

Time is trust, you want to remove the breaks to go faster. That's an accident waiting to happen.

Reply
redonihunter168 days ago (2 edits)

So? Is this supposed to be mandatory to publish or is this supposed to be an option to have such a verified checkmark? You began your suggestion with Steam as an example. Steam does not have an optional way to verify developers. They verify all of them. And because they verify all of them, there is trust.

If it is an additional option to get a verified checkmark, it will not change the situation. Some games would have more trust, all the rest would still not have such a checkmark and be a hiding place for all the bad uploads.

The sandbox mode I talk about is on operating system level. It separates the user that runs the game from the user that normally uses the system. That's why I called it poor man's sandbox. The game user can't read the files belonging to the regular user.

Time is trust, but time is not trustworthy. I have seen malware that was indexed for two years. Several that were indexed half a year. And I saw hundreds of hacked accounts that were several years old and being used to upload malware. And it happens far too often that Itch will not remove reported malware for several weeks. Nope, time does not make a game trustworthy.

Reply
tinspin168 days ago

It would be automatically shown once the itch user uses his card to buy something on the site.

And once time passes with more purchases and comments it could level up.

But yes upload security needs to be increased = IP validation, 2FA and maybe even virus scanning.

Reply
redonihunter168 days ago

... so something that appears on some accounts. Mostly user accounts that do not publish anyway. Itch does have a verification system already. But they only use for very few accounts.

IP validation does not do much good. If Itch would react to reports within hours they might do something with that information for bulk uploads, but the scammers change IP a lot.

2fa does absolutely nothing here. Neither for new fake accounts, nor for older hacked accounts. And Itch does scan files, but their scanners are not up to the task. Again, if they react within hours and update their scanners within hours and scan older files ... that might do some good. The Itch scanners are so bad, I had downloaded files that even old Windows Defenders outright deleted without asking, so clear was the scan result. But then again, some malware I found did not even trigger a single scanner on virustotal. It is trivial for the bad uploaders to circumvent the Itch scanners by trial and error.

Believe me, I sure wish that there were some changes that would make spamming viruses and scams onto Itch a waste of time for the criminals. It makes me sick to see them every day. But the method you suggest would not solve this issue.

It would solve another issue, but only for long time users turned developers at that. As I said, the trust in the Steam platform is only, because they verify each developer. So to increase trust in Itch, there would need to be verification of all uploads. If you only attach a verified symbol to some few accounts in an automatic manner, those few accounts might be trusted a little bit more, till the criminals find ways to fake the verification process.

Reply
AboutFAQBlogContact us
Copyright © 2025 itch corp · Directory · Terms · Privacy · Cookies