[opensource-dev] Anyone playing with Android and Second Life?

[Brian McGroarty]

On Tue, Dec 28, 2010 at 8:05 AM, Tateru Nino <tateru.nino at gmail.com> wrote:

>  On 29/12/2010 2:57 AM, Robin Cornelius wrote:
> > On Tue, Dec 28, 2010 at 3:55 PM, Robin Cornelius
> > <robin.cornelius at gmail.com>  wrote:
> >
> >   v1.13.852
> > * the whole login process is now handled by the mobile device itself,
> > from now on no passwords nor their hashes are transfered to our
> > servers.
> >
> > So that avoids 2.e
> I'd be more concerned about capabilities URIs, myself. The login
> credentials are only the front-gate.


Ultimately, there's a big risk in using any third-party viewer. Getting the
initial authentication off of the third-party server narrows scope a bit. It
removes credentials that could have been used for real currency cash outs,
makes compromise of the third-party authentication server a less severe
problem, and improves governance's chances of slowing down bad actors
without having to take down a whole service. But, in no way do we intend it
as a safeguard against a malicious TPV dev.

-- 
Brian McGroarty | Linden Lab
Sent from my Newton MP2100 via acoustic coupler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20101229/832f1e71/attachment-0001.htm