[sldev] [Upcoming Changes] Website Viewer Authentication

[Dale Glass]

On Friday 28 September 2007 23:31:19 David Kaprielian (Sabin) wrote:
> Hey all.  I'm Sabin Linden, a developer here at Linden Lab.  You may
> know me as that Linden with the pixel avatar or maybe... well...
> actually I don't do much external facing work so you probably don't know
> me at all.  Don't worry, you're not missing out on much.
>
> In any case, I wanted to take a moment and send to this list some
> security changes Linden is going to make in order to further the efforts
> of anti-fraud and phishing prevention.  Pretty soon we're going to
> consolidate logins to our website so we can eventually centralize the
> process.  In other words, residents will not have to type their name and
> password into SL viewers and applications, they'll type them into our
> website instead.  The process that occurs is as follows:
> 1: After logging into the website, you'll be taken to a new page that
> has the same login location options the current SL viewer has.
> 2: When you hit the Go button, a form is submitted to a php page, which
> redirects to a secondlife:/// url that has a web key appended to it.
> 3: The secondlife:/// url itself will launch Second Life with locational
> details and the web key will authorize your account for login.
> Note: You can find more detailed information (the whys and hows) on the
> public wiki at https://wiki.secondlife.com/wiki/Viewer_Authentication
I'm rather torn on this idea. On one hand, I understand the decision of 
making the authentication be separate from the viewer, so that a third 
party viewer can't report the passwords to its master.

On the other hand, the web has many, many vulnerabilities:

* Registering domains like secondlife.ws, SecondIife.com (font trick here)
* Domains with characters from another language. "secondlife" has "e", "c" 
and "o" which are identical in russian, but to DNS are different 
characters.
* Hiding the true destination with JavaScript
* Links like <a href="http://evilserver.com">secondlife.com</a>
* Links to secondlife.com            (lots of spaces)@evilserver.com
* Recent exploit affecting precisely secondlife:// (!)
etc.

The web is simply a security disaster. The prevalence of phishing on the 
web, where the look and feel of a website is easily duplicated worries me. 
Few people use third party viewers like mine. I'm fairly sure that many 
more people are vulnerable to phishing by email.

We have to avoid exchanging a slight insecurity to a greater one.


> With this information, I wanted to get your feedback!  Do you think
> there's a way we could make website viewer authentication work for all
> Linux users? 
In principle, the 70% you speak of is achievable with a kioslave for KDE 
and the gnome equivalent (haven't used gnome in ages, so no clue how it 
works there), 100% for secondlife:// is probably impossible. Are you going 
to patch links and lynx for this, as well as even more obscure browsers, 
for example?

To let absolutely everybody login somehow, maybe just display the token so 
that it can be copy/pasted into a field in the viewer. 


> Do you have any specifications for how this will interact 
> with your third party viewers and applications?  Anything I haven't
> covered that you're worried about?  Thanks for your time everyone, we'd
> love to hear what you have to say.
In terms of third party viewers (I make my own), I don't think this is 
going to solve any of their security issues.

Yes, this stops people from stealing passwords. But I think this may 
actually be counterproductive security wise.

The password isn't the important thing, once a viewer logs in, it can 
immediately transfer all money from your account, transfer everything 
interesting from the inventory, sell land, etc. The password isn't 
important, what it gives access to is, and if you've let a malicious 
viewer access your account, what the password was protecting is wide open.

The impression that your password being protected means you can download 
any random executable from the web and let it log in under your account is 
IMO very, very dangerous.

My alternate suggestion for viewer security: Create a "restricted mode" for 
the account. You go to the website (despite the above criticism I find it 
hard to come up with something better), and select to enable this mode.

When you login, you do it in a restricted mode. The viewer is not notified 
in any way, but any dangerous actions (like transferring money, selling 
land, etc) are silently ignored and logged. The grid maintains the 
illusion so that the viewer can't see nothing is actually being done. Then 
after trying a viewer like this you check the website to see if the viewer 
tried to do anything suspicious behind your back. The grid could send mail 
or IM notifications to tell the user about anything suspicious through a 
mechanism the viewer doesn't control.

There should be an option to change the number of restrictions on the 
account. For example, restricting transfer to L$200 max per login, not 
allowing selling land, etc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070929/fa2b8fe8/attachment-0001.pgp