[sldev] [POLICY] Development by consensus (Re: Question regarding upcoming maintenance on 11/27-

[Matthew Dowd]

> All of these issues were discussed extensively and addressed during
> Zero's office hours.  Sabin's follow up was a great summary for those
> who were unable to make it.

However, I raised a number of issues from the summary which were not discussed during the transcript - none of which got a response. For instance 

how the new approach would cope with internationalisation of the UI.

the false claim that the new approach would be more secure since millions of users would use it (which is an argument for https but not doing authentication via a web cgi script since no more people would test the reliability of the cgi script whether that is a web page or a web service).

the false claim the new approach could allow new methods of authentication such as biometrics - these would support for java applets etc in llmozlib which would open a whole new security can of worms
 
> A huge win for moving authentication to the website is so that
> anti-fraud/phishing efforts can be done for the second life grid as well
> as for the website in one swoop.

This claim is constantly made with no justification. The only know phishing attempt involving the grid was when someone managed to craft a URL to cause the client to logon to a third party server. The correct solution to that would be to use MD5 Challenge Response so that the password is never sent to the authenticating server (worringly in Sabin's summary of the meeting, he completely missed the raison d'etre behind MD5 challenge response).

It does not prevent third party clients grabbing passwords.

Watermarking or adding other features to the logon web form so that it appears authentic would be easily bypassed e.g. assuming I can trick the user and/or view into going to my website to authenticate, I basically setup a script which pulls down the html dynamically and direct from LL (changing form action url) so that the user sees exactly what they are expecting.


>  We are working on getting you a set of
> instructions for alternate clients, so please stay tuned for that
> announcement.

The worry is that with no further information about these anti-phishing/fraud efforts, that the new approach makes it very easy for LL to make a change (such as adding a captcha) which would break any client programmatically logging onto SL (either as an automated process or because the environment they are designed for doesn't support html rendering, e.g. a command line/text viewer). 

If there is a was of programmatically logging on via username and password which LL guarantees will not be broken by any changes LL introduces into the authentication webform, then anyone using a third party viewer using this will not be protected by LL anti-phishing/fraud efforts, and anyone using a malicious bot to defraud LL will not be caught by these efforts!

> Alts have always been able to log in, whether via the
> second life client or via the web site, as long as they provide the
> authentication fields of first name, last name, and password.

*This* isn't the issue, as has been stated many times. The issues are:

a) support for simultaneously logging on alts (as many content creators do to test scripts, permissions etc.)

b) not having your primary account logged out of the website/forums, just because you have logged on with a secondary test alt

There has (to my knowledge) been no assurances from LL on these issues, although they have been raised many time.

Sorry, Tess, but LL keeps responding with the same unsupported statements but leaving a number of questions still unanswered.

and if my e-mail is terse, it is because I am extremely annoyed at LL handling of http://jira.secondlife.com/browse/VWR-2051 (months of "this is important, we are working on it" assurances, followed by it being summarily closed by someone who clearly hadn't even understood what the problem was, because the comments were too long, even though the problem still persists).

Matthew


_________________________________________________________________
Feel like a local wherever you go.
http://www.backofmyhand.com