Goals for viewer authentication (was: Re: [sldev] Re: Viewer Auth Feedback)

[Jesse Barnett]

On 10/2/07, Matthew Dowd <matthew.dowd at hotmail.co.uk> wrote:
>
>
> Indeed - and I've been wondering whether to edit the critique to make it
> clear that the Goals listed *are* what we *think* the goals/objectives are
> based on the original wiki page on some correspondence with LL.
>
> I thought it useful to be explicit in our assumptions (a) as it is clear
> to LL what these are, as they do colour our responses (b) to prompt LL into
> being more explicit in *what* they want to achieve rather than jumping
> straight into the *how* which is really the information we have at present.
>
> Matthew
>

It seems that the stated goal of protecting our authentication data from a
3rd party viewer was either incomplete, poorly worded or intentional
misdirection. The 2 points of vulnerability so far have been the wiki and
the forum. LL still refuses to come out and even discuss the forum bbcode
problem where we were vulnerable for over a year. When I mentioned it in the
forum, the thread was moved to moderation. It does not take a rocket
scientist to see that we have been incredibly lucky so far and need
increased security across the board with our log in data; viewer, wiki,
jira, forum, account page. How to achieve this extra security i sof course
what we are talking about now. But I really wish we could split and narrow
the use of our log in name and password to just our account page and viewer.


Jesse Barnett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071002/7bf47475/attachment.htm