[sldev] Re: "But your IP wouldn't be safe"

[Able Whitman]

Simply getting someone's IP address is not an attack. That's not what Argent
was saying, and it doesn't help being unnecessarily flippant about it.

The issue here is one of information disclosure. By connecting to the SL
grid, the viewer exposes the client's IP address to the SL server, by
necessity, in order to establish communications with the various sims in the
grid.

A subtle but important point is that the viewer discloses the client IP only
to the servers that make up the grid, *not* to other users who are connected
to the same grid. This is not an irrelevancy, it is a matter of trust. If a
user is connecting to SL, she is implicitly trusting her IP address to the
machines that comprise the grid. This is not an unreasonable trust decision,
since LL runs the grid and their policies are, in the main, to protect the
privacy of individual users' information--particularly
personally-identifiable information that might make it possible for a 3rd
party to establish a connection between an SL avatar and a RL person.

A user's IP address is protected from other users because, for the most
part, all interactions with other avatars takes place via the grid, so there
are never direct connections between individual clients. If someone has
malicious intents and wishes to directly attack the client of another user,
the viewer does not provide the would-be attacker with enough information to
do so.

Currently, in order for someone other than LL to obtain a user's IP address,
they must have a way of convincing the target user to have their viewer
establish a direct connection to a system which the attacker has control
over. This could be accomplished by having the target user use the embedded
browser to visit a web server controlled by the attacker, or by listening to
a music or video stream from a media server the attacker controls. In either
case, these avenues of information disclosure require explicit permission
from the target user. And importantly, both avenues can be disabled without
serious loss of viewer functionality.

In the case of P2P texture distribution, without explicit controls
otherwise, a would-be attacker would need only to place a texture whose only
source is their own machine within the draw distance of the target user. In
order to retrieve this texture, the target's viewer would have to make a
direct connection to the attacker's system, thus disclosing the target's IP
address and making it possible for the attacker to attack the system
directly. In addition, since the attacker could arrange it such that his
client would know which avatars are within range of the textures he is
providing, it would become much easier for him to associate an IP address
with a particular avatar.

Worse, the target user has little ability to opt-out of this avenue of
information disclosure, since texture downloads happen automatically. Having
the user disable P2P texture acquisition would prevent information
disclosure but also prevent the user's viewer from being able to display all
of the textures needed to render a scene. This is a significant loss of
functionality. It might be possible for the viewer to maintain a blacklist
of avatars to refuse P2P textures from, but with the ready availability of
alts, this isn't an effective option. It also requires that the user know in
advance whose textures not to trust, an impractical endeavor at best.

Of course, not everyone is as sensitive to the disclosure of their IP
address as others, but this does not make the issue of information
disclosure any less important. Currently the viewer offers reasonable
control over this kind of disclosure, and new features should not degrade
this control, especially not by default, and especially not in a manner
which is not practically reversible.

--Able

On 7/9/07, Jason Giglio <gigstaggart at gmail.com> wrote:
>
> Argent Stonecutter wrote:
> >> I agree 100%.  This argument has already been used to stifle the
> >> discussion of (non-P2P) web fetched textures with irrelevancies about
> IP
> >> address exposure.
> >
> > They're not irrelevancies.
> >
> > We're talking about the difference between the current situation, where
> > an attacker would have to make a heroic effort to have a chance of
> > identifying a specific avatar, and it would be all for naught if the
>
> Since when is getting someone's IP address an "attack"?
>
> I guess that makes anyone running a DNS server a criminal.  This entire
> discussion is ludicrous.
>
> IP addresses are *how computers talk to one another* on the net.  It's
> *how the net works*.
>
> If you don't like it, go design your own fucking Internet.
>
> -Jason
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070709/ab5eb651/attachment-0001.htm