[sldev] OpenID & SSL certificates
Dzonatas
dzonatas at dzonux.net
Tue Oct 2 10:41:17 PDT 2007
Jesse Barnett wrote:
>
> So yes, please LL step forward and state clearly what you are trying
> to achieve and then we can help throw out ideas that have a clear target.
>
That would be on the page:
https://wiki.secondlife.com/wiki/Viewer_Authentication
Under: "Why we're making this change."
The confusion there is that the statements on that page use "open
source" as leverage to say that the official viewer is more secure. The
is not true as you pointed out over a hacked viewer. Any viewer is,
rather open source or not, is really on the same level of security. In
fact, we could take all viewers out of this argument and say that the
network protocols themselves as they exist are where the questionable
security exists.
Does the mere attempt to move authentication (as it exists now) from the
viewer to the web-site change anything? No because it still is a login
prompt. It would change accountability from the implementation being
more in the viewer to being more in the web browser. If that web browser
is Mozilla based, then they have resulted to use another "open source"
solution. That attempt to leverage on "open source" as the official
viewer is more secure doesn't make sense at all.
Why try to say "open source" is not secure and to make it more secure
the solution is another "open source" environment? (Hence, I signed the
critique)
The thing here to recognize is that these facts are not straight on the
WVA wiki page.
The why is really the need to improve the authentication protocol (not
the viewer).
To pawn other non-official viewers as less secure in the process of its
justification is a horrible attempt to discredit developers. I gave the
benefit of the doubt and kept in mind the "maybe it was not intended
that way" thought.
I also realized that the WVA method as on the wiki page is verify
similar to a method I suggested about a year ago (on the forums,
mainly). Mine mainly meant one could use llhttprequest() to verify keys
or authenticate avatars, which mainly sprung out of the CC verification
arguments. This here, with WVA, is a more complex implementation to
involve much more persistence than what a single llhttprequest() can do.
--
Power to Change the Void
More information about the SLDev
mailing list