[sldev] [Upcoming Changes] Website Viewer Authentication

Boroondas Gupte sllists at boroon.dasgupta.ch
Fri Sep 28 15:54:47 PDT 2007


Dale Glass schrieb:
> The password isn't the important thing, once a viewer logs in, it can
> immediately transfer all money from your account, transfer everything 
> interesting from the inventory, sell land, etc. The password isn't 
> important, what it gives access to is, and if you've let a malicious 
> viewer access your account, what the password was protecting is wide open.
>
> The impression that your password being protected means you can download 
> any random executable from the web and let it log in under your account is 
> IMO very, very dangerous.
I second this. It's like locking a window of a house while leaving the
door wide open.
Besides that the viewer will need full access to the SL account to be
useful (in production use, that is; for testing I'd like the "restricted
mode" proposed by Dale), there are even more security considerations:

    * The viewer is a program that runs locally, so it can access (and
      transfer/damage/...) every file on your machine (as far as your
      user permissions allow).
    * Why should the Web Browser be trusted any more than the Viewer is?
      I might be testing modified (and potentially malicious) Firefoxes
      instead of testing patched viewers. Or, more likely, I might have
      installed untrusted add-ons and plug-ins. Or even use some closed
      source browser by default which I can't even examine what it might
      do. (Imagine that!)
    * The Viewer could easily catch your password when you enter it at
      the website. It just has to act as a key logger

What I like about the idea of going inworld from the website, it might
actually ease things for people with multiple accounts. The website
(actually, LL's database, of course) could "know" what other SL accounts
you own (either by comparing RL data entered, or because you manually
told it using a web form), so besides the [go inworld] button, there
could be a [go inworld as ...] drop down list which would allow you to
select the account to log in with.

Boroondas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070929/fc5c2e25/attachment.htm


More information about the SLDev mailing list