[sldev] Viewer Auth + Automated Login (was RE: More about viewer auth in today's RC)

John Hurliman jhurliman at wsu.edu
Wed Dec 5 15:31:52 PST 2007

Previous message: [sldev] More about viewer auth in today's RC
Next message: [sldev] Viewer Auth + Automated Login (was RE: More about viewer auth in today's RC)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tess Chu wrote:
> Back in October, we requested feedback about the Viewer Authentication 
> project with a broad set of unfocused goals, which masked the main 
> drive for the project: Code consolidation of authentication for future 
> anti-fraud efforts.  As I'm sure you've noticed by now, the upcoming 
> 1.18.6 release candidate has the implementation of this new system.
>
> Much of the ensued debate centered around the relative security of the 
> old xml-rpc based approach versus the new approach of using HTML.  We 
> *weren't* necessarily trying to make the mechanism itself more secure 
> (we believe both mechanisms are secure), but rather, we want to give 
> ourselves greater flexibility to use new security mechanisms already 
> being successfully employed by banks, credit-card companies, and other 
> service providers that need rigorous security regimes.  By moving to 
> standard HTTPS plus HTML, we get the benefit of being able to 
> integrate new security systems without creating a lot of custom code.
>
> We realize that the way that we went about this was a little clumsy.  
> We have a lot of conflicting priorities to balance; we're working on 
> the part of the system that is necessarily shrouded in the most 
> secrecy (since we are trying to keep the bad guys out).  Though we 
> fully expect Second Life to become more open over time, there will 
> always need to be secrets.  We are, after all, not planning on 
> publishing the root password for our systems any time soon.
>
> The process of making Second Life more open will take time, and will 
> probably (unfortunately) be filled with awkward moments like this one 
> where we figure out how to work together with you all.  Please bear 
> with us, we're trying to learn the best way to do this.
>
> Thanks,
> Tess 

I've been in favor of the new web authentication system, but under the 
assumption that we would have a new login method to replace the current 
one before it became a mandatory system (and thus locking out automated 
processes like bots, who are not very good at scraping HTML forms that 
can dynamically change for "WebLoginKey"s). Is there any word on 
progress or a timeline for the new automated login system that doesn't 
involve HTML scraping?

John

Previous message: [sldev] More about viewer auth in today's RC
Next message: [sldev] Viewer Auth + Automated Login (was RE: More about viewer auth in today's RC)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list