[sldev] [META] Formal critique of new auth mechanism?

[Dale Glass]

On Saturday 29 September 2007 21:55:44 Callum Lerwick wrote:
> I'm not seeing much clarity on what exactly we're trying to fix here.
>
> The original message said something about phishing attempts. That's
> easily solved by using SSL and having the client strictly check that
> certificates match the grid it is expecting to connect to. Its a solved
> problem. Why aren't we doing it?
Agree here, IMO trying to solve phishing by moving things to a website 
which is the one thing where phishing is most common is a very bad idea.


> If the worry is untrusted *clients*, well that's a whole different
> issue. And not a new one either. As Trusted Computing has yet to be
> signed into law, this is simply not under Linden Lab's control. Its in
> the user's hands. It's up to the user to decide what operating systems,
> web browsers and SL clients they trust.

Disagree here, "trusted computing" is not needed, and solves nothing. Under 
the trusted computing model, signatures are enforced. All that means is 
that it would force me to pay for a certificate. It doesn't stop anybody 
from coding something malicious anyway, it simply makes it hard to do 
anonymously. All of that then hinges on the security of the trust chain.

There are two parts to the untrusted clients issue:

Local computer security: Defining what the viewer is allowed to do on the 
local computer. Installing keyloggers, mailing files, etc are all 
undesirable things. There are MANY measures to deal with this: Account 
permissions, Linux grsecurity patches, SELinux, etc. It's not easy, but it 
is possible to force the viewer, at least on a Linux box, to be very 
tightly contained by using SELinux. I wonder if anybody tried doing that, 
btw.

Once that part is solved we have the problem of the viewer being able to 
mess with your account, which is beyond the reach of local security 
measures. Here we need account restrictions: Make it possible to place 
limits on the account, so that a malicious viewer can't cause damage even 
if it tries. Restrictions can be placed on transfer of money, land, 
rezzing, etc. 

Restrictions can be made to be enabled automatically through the usage of a 
special password, the IP address, or the time of the day, to lessen the 
inconvenience of having to mess with settings before going somewhere, in 
case you might have to login from there.

And IMO, they would be a very good thing to have. SL can be limited to the 
point of becoming a 3D chat client and still be useful. I can see how some 
people would like being able to login from a cybercafe to discuss 
something with a client or friend without making themselves vulnerable. 
With a one time login password, restrictions that only allow chatting, you 
could login from the most spyware infested box safely.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070929/c077cd43/attachment.pgp