[sldev] OpenID & SSL certificates

Jesse Barnett jessesa at gmail.com
Tue Oct 2 08:42:05 PDT 2007


On 10/2/07, Dzonatas <dzonatas at dzonux.net> wrote:
>
> The other thing I see that confuses this thread is that there exists lots
> irrelevant arguments over implementation rather than just focus on
> justification. If we worry too much about implementation and not stay
> focused on the analysis of this (with justification), then we are
> over-planning and wasting time.
>
> --
> Power to Change the Void
>

Agree completely with this. Until we get calrification from LL as to what
they are trying to do, everything else means nothing. The only reason given
at first was to protect us from hacked 3rd party viewers. That reason was
shown to be nonsense because once a hacked viewer has logged into the
account they already have everything they came for. Our account data is
vulnerable in several spots. So far the viewer hasn't been the weakest link.
As I pointed out in another thread we use the exact same user name to log
into jira, the LL website, including our account page, the forums, the wiki
AGAIN and the viewer. You could also halfway argue too about throwing 3rd
party sites like SLexchange into the mix, I wonder how many people use the
same password there.

We were already hacked in the wiki and there has been no clarification or
even anyone admitting that we were vulnerable for over a year in the forums
before bbcode was disabled. That's right, a vulnerability was discovered in
VBulletin on 1/31/05 and bbcode wasn't disabled till this year. I would
suspect that the new login scheme is the reason that LL has finally hopped
off the fence and appointed new moderators to the forums. I completely
understand everything BUT the viewer needing a better form of security,
otherwise it will just be time before we are hit once again. Especially if
the forums are finally upgraded to the latest VBulletin version and bbcode
is re-enabled. All you have to do is google the terms bbcode and secuirty to
see that it is a very popular point of entry for hackers.

So yes, please LL step forward and state clearly what you are trying to
achieve and then we can help throw out ideas that have a clear target.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071002/b01a30e1/attachment-0001.htm


More information about the SLDev mailing list