[sldev] OpenID & SSL certificates

Dzonatas dzonatas at dzonux.net
Tue Oct 2 10:41:17 PDT 2007


Jesse Barnett wrote:
>  
> So yes, please LL step forward and state clearly what you are trying 
> to achieve and then we can help throw out ideas that have a clear target.
>  

That would be on the page: 
https://wiki.secondlife.com/wiki/Viewer_Authentication
Under: "Why we're making this change."

The confusion there is that the statements on that page use "open 
source" as leverage to say that the official viewer is more secure. The 
is not true as you pointed out over a hacked viewer. Any viewer is, 
rather open source or not, is really on the same level of security. In 
fact, we could take all viewers out of this argument and say that the 
network protocols themselves as they exist are where the questionable 
security exists.

Does the mere attempt to move authentication (as it exists now) from the 
viewer to the web-site change anything?  No because it still is a login 
prompt. It would change accountability from the implementation being 
more in the viewer to being more in the web browser. If that web browser 
is Mozilla based, then they have resulted to use another "open source" 
solution. That attempt to leverage on "open source" as the official 
viewer is more secure doesn't make sense at all.

Why try to say "open source" is not secure and to make it more secure 
the solution is another "open source" environment?  (Hence, I signed the 
critique)

The thing here to recognize is that these facts are not straight on the 
WVA wiki page.

The why is really the need to improve the authentication protocol (not 
the viewer).

To pawn other non-official viewers as less secure in the process of its 
justification is a horrible attempt to discredit developers. I gave the 
benefit of the doubt and kept in mind the "maybe it was not intended 
that way" thought.

I also realized that the WVA method as on the wiki page is verify 
similar to a method I suggested about a year ago (on the forums, 
mainly). Mine mainly meant one could use llhttprequest() to verify keys 
or authenticate avatars, which mainly sprung out of the CC verification 
arguments. This here, with WVA, is a more complex implementation to 
involve much more persistence than what a single llhttprequest() can do.

-- 
Power to Change the Void


More information about the SLDev mailing list