[sldev] Re: Viewer Auth Feedback

SL - Farallon Greyskin sl at phoca.com
Tue Oct 2 08:38:13 PDT 2007

Previous message: [sldev] Re: Viewer Auth Feedback
Next message: [sldev] Re: Viewer Auth Feedback
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe that LL said that the primary reason for doing it that way was to 
remove the log-in from the client because third party clients /could/ be 
used to harvest name/password data from users that used them.

By logging into the web site and having a web page launch the viewer then 
that specifically can't happen. Sounds like a good idea at that point...

HOWEVER. Of course there are actually even MORE ways to spoof webpages and 
exploit bugs to harvest that SAME info from the browser as well as the fact 
that even of the log-in info is secure, once logged in a malicious client 
could STILL transfer lindens or do /anything/ the user could do once logged 
in.

So the stated goal of increasing login security by logging into the web page 
to protect the used from malicious clients at this point seems pretty 
moot... At this point ALL of the security issues to date (that I know about) 
have been caused by the Linden's own website or by the fact that the current 
client login method and data stream is insecure on shared networks.

Farallon

----- Original Message ----- 
From: dirk husemann
To: Matthew Dowd
Cc: Second Life Developer Mailing List
Sent: Tuesday, October 02, 2007 5:27 AM
Subject: Re: [sldev] Re: Viewer Auth Feedback


Matthew Dowd wrote:
I'm not clear why this consolidation could not be acheived by having a 
single backend webservice which did the authentication step, and which was 
then fronted by a GUI frontend for the client and a web front end for the 
websites?


IFF i understand sabin (and zero, who was talking about this in recent weeks 
off and on), they want to be able to login on the web page and then --- by 
some "magic" --- have that login carry over to the viewer...

...which i think will just confuse the heck out of people: "why do i have to 
login at the web site to use the application?" --- let alone all those 
security issues such as XSS et al.


-- 
dr dirk husemann, pervasive computing, ibm zurich research lab
--- hud at zurich.ibm.com --- +41 44 724 8573 --- SL: dr scofield

Previous message: [sldev] Re: Viewer Auth Feedback
Next message: [sldev] Re: Viewer Auth Feedback
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list