Every site has some small differences in the implementation of the provably fair method, some better than others. I am planning to write an article about the ways the casino could still cheat you and what the ideal provably fair method should have (IMO.) But quick overview here..
Things that can be bad for player (some already said), in random order:
- Skipping nonces (dicebitco.in)
- Using anything like bet ID or timestamp in bet result calculation
- Not giving serverseed afterwards (sounds like a joke but betcoin.ag actually did that.)
- Having a "serverseed per bet" but not a (cryptographically secure) random clientseed per bet
- "serverseed per bet" but only show/send serverseed hash on request (I think 999dice did this? tbh never been interested in that site :p)
- Not generating a new (cryptographically secure) random clientseed after getting new serverseed hash
- Generating clientseed serverside
- Browser sending clientseed before getting serverseed hash
- Not locking serverseed hash (for d/c possibilities)
- TBH even things like "not giving proper history of your own bets", "no link to verifier and/or no script" and "daily secret" are bad, since it makes it harder to easily verify your bet rolls.
And probably more, again, I am planning to write much more about it soon with specific details+examples
Ps, if one doesn't fully understand provably fair, I recommend reading my "basic article":
http://dicesites.com/provably-fair