[sldev] [Upcoming Changes] Website Viewer Authentication

[Alias.Schilling]

Oh joy! A third level of SL - grid, viewer and now the net too...?!? I
really question the security of large quantitities of id info flowing from a
web page to a viewer on a regular basis and am really not sure I'd want to
use it...

Is one thing to do basic account issues on the net but surely the log-in
screen - or an elemnt of it - could be a "secure unit" that HAS to occur in
every viewer as part of the terms of service? 

Why not get a security firm to implement security authentication into the
viewer front-end?!? A Linden Labss Secure Log-in Module should occur in
EVERY viewer as aay of providing the security required and this security
should be implemented by security specialists bought in by Linden Labs not
an internal team (eg "Second Life Log-in - auhenticated by Symantec")

Regards,
Alias Schilling

> -----Original Message-----
> From: sldev-bounces at lists.secondlife.com 
> [mailto:sldev-bounces at lists.secondlife.com] On Behalf Of 
> David Kaprielian (Sabin)
> Sent: 28 September 2007 22:31
> To: Second Life Developer Mailing List
> Subject: [sldev] [Upcoming Changes] Website Viewer Authentication
> 
> Hey all.  I'm Sabin Linden, a developer here at Linden Lab.  
> You may know me as that Linden with the pixel avatar or 
> maybe... well... 
> actually I don't do much external facing work so you probably 
> don't know me at all.  Don't worry, you're not missing out on much.
> 
> In any case, I wanted to take a moment and send to this list 
> some security changes Linden is going to make in order to 
> further the efforts of anti-fraud and phishing prevention.  
> Pretty soon we're going to consolidate logins to our website 
> so we can eventually centralize the process.  In other words, 
> residents will not have to type their name and password into 
> SL viewers and applications, they'll type them into our 
> website instead.  The process that occurs is as follows:
> 1: After logging into the website, you'll be taken to a new 
> page that has the same login location options the current SL 
> viewer has.
> 2: When you hit the Go button, a form is submitted to a php 
> page, which redirects to a secondlife:/// url that has a web 
> key appended to it.
> 3: The secondlife:/// url itself will launch Second Life with 
> locational details and the web key will authorize your 
> account for login.
> Note: You can find more detailed information (the whys and 
> hows) on the public wiki at 
> https://wiki.secondlife.com/wiki/Viewer_Authentication
> 
> This method works for Windows and Mac machines, but 
> unfortunately due to the nature of how Linux handles 
> secondlife:/// links (it doesn't), we have been unable to 
> come up with a proper, catch-all solution that would allow 
> this method of login to work for 100% of the Linux using 
> population.  We estimate (aka: make an educated guess) that 
> we can catch about 70% of Linux users at first and will be 
> working to get that number as close to 100% as possible.  
> However, because there are so many different distributions 
> and configurations of Linux available, there's always the 
> possibility of people who cannot launch Second Life from the 
> website.  Fortunately, we will be implementing a login screen 
> for each of our viewers (similar to the one you see now) 
> which goes through our website.  Although this doesn't allow 
> as much security as we would like (since you're still 
> technically typing your password into the viewer) it will, at 
> least, allow all Linux users to log in.  Additionally, it 
> will provide a fall-back for those who are used to the 
> current way of logging in.
> 
> With this information, I wanted to get your feedback!  Do you 
> think there's a way we could make website viewer 
> authentication work for all Linux users?  Do you have any 
> specifications for how this will interact with your third 
> party viewers and applications?  Anything I haven't covered 
> that you're worried about?  Thanks for your time everyone, 
> we'd love to hear what you have to say.
> 
> ~Sabin
> _______________________________________________
> Click here to unsubscribe or manage your list subscription:
> /index.html
>