[sldev] [Viewer Auth] Office hour high points.

[Argent Stonecutter]

This is kind of disturbing.

On 17-Oct-2007, at 19:17, David Kaprielian (Sabin) wrote:
> Web is not any less secure.

HTML allows arbitrary programs running in a turing-complete language  
implemented under at least four completely independent security  
models (one of which, the most common, is inherently insecure and has  
been the source of far more than its fair share of vulnerabilities  
and exploits over the past decade). Any solution that requires the  
use of an arbitrary HTML browser involves whole classes of attacks  
(including, but not limited to, social engineering attacks such as  
'phishing') that are completely avoided by using either a webservices  
login or a hardcoded login.

> The web has many vulnerabilities but is tested and used by millions  
> each day, whereas the SL viewer's login vulnerabilities are not  
> known and only used by thousands of people.

You can not "test in" security, but even if you could many browsers  
routinely fail that test. You can "design in" security, and the SL  
viewer has an inherently secure design, in that by default there is  
no mechanism for content displayed in it and provided by an untrusted  
source (including from an untrusted source WITHIN SL) to be  
downloaded and executed even in a sandbox. Some web browsers  
(particularly KHTML-based ones, as well as Gecko-based ones that do  
not support XUL plugins) provide an inherently secure design, albeit  
in some cases with a loophole in URI handling (one that has already  
been an issue with SL) but still give malware more opportunity for  
social-engineering attacks.

> Challenge-response is only used to make sure a secret doesn't cross  
> the network unencrypted.

Challenge-response is also used to make sure that the security token  
provided is not replayable.