[sldev] [Upcoming Changes] Website Viewer Authentication

[David Kaprielian (Sabin)]

Hey all.  I'm Sabin Linden, a developer here at Linden Lab.  You may 
know me as that Linden with the pixel avatar or maybe... well... 
actually I don't do much external facing work so you probably don't know 
me at all.  Don't worry, you're not missing out on much.

In any case, I wanted to take a moment and send to this list some 
security changes Linden is going to make in order to further the efforts 
of anti-fraud and phishing prevention.  Pretty soon we're going to 
consolidate logins to our website so we can eventually centralize the 
process.  In other words, residents will not have to type their name and 
password into SL viewers and applications, they'll type them into our 
website instead.  The process that occurs is as follows:
1: After logging into the website, you'll be taken to a new page that 
has the same login location options the current SL viewer has.
2: When you hit the Go button, a form is submitted to a php page, which 
redirects to a secondlife:/// url that has a web key appended to it.
3: The secondlife:/// url itself will launch Second Life with locational 
details and the web key will authorize your account for login.
Note: You can find more detailed information (the whys and hows) on the 
public wiki at https://wiki.secondlife.com/wiki/Viewer_Authentication

This method works for Windows and Mac machines, but unfortunately due to 
the nature of how Linux handles secondlife:/// links (it doesn't), we 
have been unable to come up with a proper, catch-all solution that would 
allow this method of login to work for 100% of the Linux using 
population.  We estimate (aka: make an educated guess) that we can catch 
about 70% of Linux users at first and will be working to get that number 
as close to 100% as possible.  However, because there are so many 
different distributions and configurations of Linux available, there's 
always the possibility of people who cannot launch Second Life from the 
website.  Fortunately, we will be implementing a login screen for each 
of our viewers (similar to the one you see now) which goes through our 
website.  Although this doesn't allow as much security as we would like 
(since you're still technically typing your password into the viewer) it 
will, at least, allow all Linux users to log in.  Additionally, it will 
provide a fall-back for those who are used to the current way of logging 
in.

With this information, I wanted to get your feedback!  Do you think 
there's a way we could make website viewer authentication work for all 
Linux users?  Do you have any specifications for how this will interact 
with your third party viewers and applications?  Anything I haven't 
covered that you're worried about?  Thanks for your time everyone, we'd 
love to hear what you have to say.

~Sabin