[sldev] [Upcoming Changes] Website Viewer Authentication
Boroondas Gupte
sllists at boroon.dasgupta.ch
Fri Sep 28 15:54:47 PDT 2007
Dale Glass schrieb:
> The password isn't the important thing, once a viewer logs in, it can
> immediately transfer all money from your account, transfer everything
> interesting from the inventory, sell land, etc. The password isn't
> important, what it gives access to is, and if you've let a malicious
> viewer access your account, what the password was protecting is wide open.
>
> The impression that your password being protected means you can download
> any random executable from the web and let it log in under your account is
> IMO very, very dangerous.
I second this. It's like locking a window of a house while leaving the
door wide open.
Besides that the viewer will need full access to the SL account to be
useful (in production use, that is; for testing I'd like the "restricted
mode" proposed by Dale), there are even more security considerations:
* The viewer is a program that runs locally, so it can access (and
transfer/damage/...) every file on your machine (as far as your
user permissions allow).
* Why should the Web Browser be trusted any more than the Viewer is?
I might be testing modified (and potentially malicious) Firefoxes
instead of testing patched viewers. Or, more likely, I might have
installed untrusted add-ons and plug-ins. Or even use some closed
source browser by default which I can't even examine what it might
do. (Imagine that!)
* The Viewer could easily catch your password when you enter it at
the website. It just has to act as a key logger
What I like about the idea of going inworld from the website, it might
actually ease things for people with multiple accounts. The website
(actually, LL's database, of course) could "know" what other SL accounts
you own (either by comparing RL data entered, or because you manually
told it using a web form), so besides the [go inworld] button, there
could be a [go inworld as ...] drop down list which would allow you to
select the account to log in with.
Boroondas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070929/fc5c2e25/attachment.htm
More information about the SLDev
mailing list