Together with the Havok4 announcment, another Linden mail hit the sldev mailing list (ahh those Fridays).
There seem to be plans to change the Login process on the viewer to make it more secure with regard to 3rd party viewers (like mine or anybody else who makes an open source build), basically finding a way to not give the password to a viewer to log in.
Details are here (wiki) and the sldev thread can be followed in the mailing list achive (scroll down until you find Website Viewer Authentication).
In a nutshell, I agree with most comments that the proposed change is useless in that whatever kind of authentication, once the viewer is logged in it, a malicious viewer still can do what it wants and that the proposed change is also a nuisance from a usability perspective and will probably break many ways people are using SL (Ajax-Life, libsl, etc.)
It is not yet clear, how far it is implemented and what the time frame for this change is. The initial mail said "pretty soon", but I would at least expect a release candidate cycle for something as far reaching as that.
I made a proposal for a different approach (search for Improving Authentication Security on the mailing list achive page) with less usability impact.
I may be wrong (and I really hope I am), but the announcement and the way Donovan Linden talks about the first iteration sounds a lot like this is more in final stages than in early discussion.
Given the fresh memories of how the communication window for voice was implemented, I'd like to raise public awareness of the issue and suggest that join discussion on the mailing list or via the wiki talk page or in office hours.
I don't mean to stage a protest, but I think now that the questions are asked, feedback should be early, constructive and clear.
Saturday, September 29, 2007
Subscribe to:
Post Comments (Atom)
10 comments:
Jeez. This is going to be a monumental pain in the ass.
I don't have time to read all of the discussion on this subject, so my concerns have probably been brought up... but as I see it:
1) This provides a false sense of security while not actually making the login itself more secure.
2) This is going to be annoying as hell for people like me with multiple accounts.
3) This actually makes things LESS secure for people who remain logged into the website through the "remember me" option.
Justification:
1) At least in windows, if I can run software on your system, I can steal your password no matter what application you're typing it into. A rogue client can install a keylogger as a separate process or as, say, a firefox extension, in order to harvest passwords. There's also what you mentioned above: let the user log in and then your rogue client can transfer all of their lindens away or something.
2) I like staying logged into the SL website so that I can visit the forums without logging in. I'm hoping that they eventually add in the login system for JIRA so that I don't even have to log into that each day. I don't want to have to go and log myself out of the SL website just so that I can log into my alt. This is ESPECIALLY annoying when I want to have my alt and main logged in simultaneously.
3) I DON'T want someone to be able to walk up, open my web browser, and "Go Inworld!" So I'm going to have to constantly remember to log out of the SL website.
Argh.
--Lex Neva
Utterly stupid.
Just waiting for first case where mom or dad forgets to log out of the SL website, and 8 year old kid clicks him/herself inworld, and gets a facefull of "broadly offensive" content.
OMFG: They are reclassifying one of the password stealing flaws as a feature...
I am dumbstruk.
Incredible. I've sent them an email unicast with a slight mod to your proposal, Nicholaz - basically issuing a client certificate and then generating the one-time code which would be pasteable or launch the SL viewer with it.
Still not a panacea, but I think a bit more of an improvement to the scary stuff they came up with...
Surely LL didn't write *this* on the wiki linked above...
"I'm always logged in on the SL website. How does this affect me?
It means you're one massive faggot. "
This doesn't leave me very confident at all. I don't think I've understood all the implications yet, but right away I think I'm seeing some serious issues with this idea.
Nicholaz, there's a problem with your making this claim: you are hugely biased.
You can't tolerate any move by LL that would disrupt your third-party viewer, AJAX Life, libsecondlife stuff, etc.
But...why should we care? You are rogue hackers, reverse engineers, and while tolerated, you represent a risk as well. Any one of you could be making something that hacks into stuff and is used for griefing. And the plethora of griefing -- and increasinging sophisticated griefing -- that has gone on since the OS of the viewer -- and the dearth of any hard, recognizable "quick impact project" sort of success from "bug finding" is glaringly evident. You can't be expected to be impartial on this subject.
If the Lindens have found a way to defeat rapid log-ins of bots, many will be happy. It's not only the landbots that have destroyed the landmarket and human livlihoods for some, but it's these searchbots proliferating, coming to sims, scraping them, hanging around, requiring ban AFTER the fact to opt-out, etc. This has to be addressed -- they are a menace.
Could this change have anything to do with the IE security hole, and will it address that? If so, well, they have to deal with it.
If it defeats rogue browsers, it doesn't provide a false sense of security, it's much needed.
The bit about the multiple accounts is a red herring. As it is now, I can't rapidly change my numerous accounts holding groups together because the system won't log me out quickly. I routinely have to wait five minutes to log off the server and really get out of SL to then try again. If that becomes 7 minutes, but it is a wait that helps prevent the invasion of bots and griefers through OS browsers, fine, I can live with that.
I think anyone clicking off "remember me" in any event is not following a good practice, you just never know when kids or random people might in fact access your computer, it's never a good idea.
Three times now in the last year, I've found people have put keyloggers on me. I suspect this comes from Second Life and not other things. Removing one of them was quite destructive and time-consumign and expensive.
Gosh, huge super big deal to log into the web site AND have to log into the world, too? NOT!
No, nothing here at all sounds persuasive.
From my forum.secondlife posts:
All I know is that I trust Nicholaz far more than LL. And the irony is that Linden Lab trusts open software for their own login authentication already.
...
It will be nice to know exactly what shade of blue the deck chairs on the Titanic should be. I am simply flabbergasted that they are setting their sights on login modality because that is obviously one of the more pressing issues in front of them.
I'd post to the wiki but would be embarrassed to be associated with that endeavor in any way.
Prok, as usual you shout off without having a single clue. It's not about unofficial viewers. It's not about griefing (I'm simply insulted you bring up that). It's about making a change for the worse, giving *less* security, more headaches, and screwing everyone over in the process.
Next time the SL website is down, you won't be seeing on the blog "but logins are not affected".
And keep your conspiracist shite on your own blog, we don't need it here.
I'm wondering if something wasn't implemented today, all of a sudden I can't login with the BE-q viewer. It's giving me a "required download" of the current viewer. However, if I log in with the LL release candidate I get in fine....hmmmm
that was weird, I just tried again and this time I didn't get the forced download message. I take back what I said.... argh
Post a Comment