[opensource-dev] [POLICY] Configurable HTTP user-agent string

Ricky kf6kjg at gmail.com
Thu May 6 20:06:19 PDT 2010


One thing more to consider is that the content (but not the format) of
this string is up to the viewer developer.  If the viewer developer is
security conscious, or has a security conscious user base, the
developer can choose to use the one selected by one of the Linden
Lab's main viewer versions.  Especially since the 1.x series is the
current "base" of most viewers, this makes sense.  The only flaw here
is that you will get the same thing going on with browsers today: they
almost all say "Mozilla/4.0" even if they are, say, IE8...

Over-all, I think the security implications are important to consider,
but that simple tweaks seem to be able to cover the concerns.  I'd
rather get "Hi, I'm SecondLife/1.23.5 (compatible)" then "Hi, I'm
<blank>" from all security-conscious TPVs.  Especially since LL's
viewers will most likely not move over to the default-blank model, as
they already are sending a string, and to change would require
overcoming some entropy.. :P

Also, since this information is /already/ accessible (through means
that are irritatingly complex), we need to get the client-side tweak
of allowing the user to "opt-out" by setting a custom string in place.
 Since we are already "opted-in" by existing code, we have to choose
the opt-out model.  Making the info easier to access in LSL is a
tangential issue, but not unimportant.

Ricky
Cron Stardust

On Thu, May 6, 2010 at 3:00 PM, Argent Stonecutter
<secret.argent at gmail.com> wrote:
> The only difference between "default none" and "default something
> generic" is that you're sending more bytes to provide the same
> negative information.
>
> On 2010-05-06, at 13:47, Tigro Spottystripes wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> have the default be somthing generic then
>>
>> On 6/5/2010 15:24, Argent Stonecutter wrote:
>>> On 2010-05-06, at 11:51, Tigro Spottystripes wrote:
>>>> Then you just set your user-agent string to something generic
>>>
>>> Yes, I'm a paranoid nut who knows to do that. I know to opt out. Most
>>> people don't.
>>>
>>> Which is why any capability like this needs to be opt-in.
>>>
>>> _______________________________________________
>>> Policies and (un)subscribe information available here:
>>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>>> Please read the policies before posting to keep unmoderated posting
>>> privileges
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.14 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEAREKAAYFAkvjDqoACgkQ8ZFfSrFHsmXaugCfXqAEbn2dtrN441ofJHfLYe/t
>> pBAAn1JwlS9Iz8fstEYvpy9IkzZoMHy3
>> =ZojM
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Policies and (un)subscribe information available here:
>> http://wiki.secondlife.com/wiki/OpenSource-Dev
>> Please read the policies before posting to keep unmoderated posting
>> privileges
>
> "Welcome back, Anonymous, we're glad to see you again!"
>
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting privileges
>


More information about the opensource-dev mailing list