[sldev] [Upcoming Changes] Website Viewer Authentication
David Kaprielian (Sabin)
sabin at lindenlab.com
Fri Sep 28 14:31:19 PDT 2007
Hey all. I'm Sabin Linden, a developer here at Linden Lab. You may
know me as that Linden with the pixel avatar or maybe... well...
actually I don't do much external facing work so you probably don't know
me at all. Don't worry, you're not missing out on much.
In any case, I wanted to take a moment and send to this list some
security changes Linden is going to make in order to further the efforts
of anti-fraud and phishing prevention. Pretty soon we're going to
consolidate logins to our website so we can eventually centralize the
process. In other words, residents will not have to type their name and
password into SL viewers and applications, they'll type them into our
website instead. The process that occurs is as follows:
1: After logging into the website, you'll be taken to a new page that
has the same login location options the current SL viewer has.
2: When you hit the Go button, a form is submitted to a php page, which
redirects to a secondlife:/// url that has a web key appended to it.
3: The secondlife:/// url itself will launch Second Life with locational
details and the web key will authorize your account for login.
Note: You can find more detailed information (the whys and hows) on the
public wiki at https://wiki.secondlife.com/wiki/Viewer_Authentication
This method works for Windows and Mac machines, but unfortunately due to
the nature of how Linux handles secondlife:/// links (it doesn't), we
have been unable to come up with a proper, catch-all solution that would
allow this method of login to work for 100% of the Linux using
population. We estimate (aka: make an educated guess) that we can catch
about 70% of Linux users at first and will be working to get that number
as close to 100% as possible. However, because there are so many
different distributions and configurations of Linux available, there's
always the possibility of people who cannot launch Second Life from the
website. Fortunately, we will be implementing a login screen for each
of our viewers (similar to the one you see now) which goes through our
website. Although this doesn't allow as much security as we would like
(since you're still technically typing your password into the viewer) it
will, at least, allow all Linux users to log in. Additionally, it will
provide a fall-back for those who are used to the current way of logging
in.
With this information, I wanted to get your feedback! Do you think
there's a way we could make website viewer authentication work for all
Linux users? Do you have any specifications for how this will interact
with your third party viewers and applications? Anything I haven't
covered that you're worried about? Thanks for your time everyone, we'd
love to hear what you have to say.
~Sabin
More information about the SLDev
mailing list