[sldev] Re: "But your IP wouldn't be safe"

[Able Whitman]

On 7/9/07, Jason Giglio <gigstaggart at gmail.com> wrote:
>
> People who provide web textures are no longer users, they are content
> providers.


Only unwittingly so. Just because someone wants to put a big texture on an
object they're selling doesn't mean they want to sign up to be the content
distributor for that texture. And it's unreasonable to expect the majority
of users to understand the subtleties of P2P texture distribution--the
information disclosure runs both ways, after all.

> A user's IP address is protected from other users because, for the most
> > part, all interactions with other avatars takes place via the grid, so
> > there are never direct connections between individual clients. If
> > someone has malicious intents and wishes to directly attack the client
> > of another user, the viewer does not provide the would-be attacker with
> > enough information to do so.
>
> This is a mere coincidence of the design, not a design goal.


Why the information disclosure is protected is irrelevant. The fact is that
this information is protected now, and some users depend upon this fact to
help ensure their anonymity.  Changing this behavior would be introducing a
security bug, and would be unacceptable.

If you expect to use the Internet without exposing your IP to content
> providers, you should expect serious loss of functionality.


Of course. My point is that content providers should be clearly identifiable
as such. If I don't want to disclose my IP to such and such a service or a
web site, I don't visit it. The decision of whether to disclose such
information to be left explicitly to the user. If I don't wish to disclose
my IP to a site, then I am precluded from the functionality of that site.

I don't support this silly P2P texture idea.  I'm only talking about
> this in terms of web textures, HTML-on-a-prim, ... pretty much all the
> exciting future features that will prevent Second Life from becoming
> irrelevant.


In that case then, I believe we are in vigorous agreement. I am not arguing
against *all* features that could possibly disclose IP addresses or other
such information. In fact I think web textures and html-on-a-prim would be
fantastic features. My only point is that such features *do* open up new
avenues of information disclosure, and as such, the features should be
disableable at the user's discretion.

> ...and new features should not
> > degrade this control, especially not by default, and especially not in a
> > manner which is not practically reversible.
>
> It should, by default, because there is no way Linden Lab can become
> some huge anonymizing proxy service.  The future viability of Second
> Life as a platform for providing content rests on decentralization.
> Decentralization means third party content that does *not* flow through
> Linden Lab servers, in many cases.


I guess we will have to disagree on this point. I believe that security
decisions, whether they be trust decisions, permissions decisions,
information disclosure decisions, etc., should be enabled only at the
explicit request of the users, not by default. I understand that this may
degrade the functionality of the viewer by default, but I am not advocating
huge barriers of entry to using those kinds of features.

For example, the first time you walk into a parcel with streaming audio, the
viewer prompts you whether you want to enable streaming media or not. This
is basically the sort of consent I advocate with any similar feature:

1. it is off by default,
2. the user is informed of its presence when appropriate,
3. the user then has the option of turning the feature on or leaving it off,
and
4. most importantly, the user's decision (either way) is reversible

--Able
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070709/bb42886f/attachment-0001.htm