[sldev] OpenID vs. current proposal vis a vis security

[Argent Stonecutter]

On 29-Sep-2007, at 23:22, Rob Lanphier wrote:
> Let's say we did implement an OpenID Identity Provider, and  
> switched the
> viewer to instead require OpenID (making the viewer act as both a
> relying party and a user agent).  Would that be more secure than the
> current proposal?  If so, why?  It seems to me many of the criticisms
> associated with this current proposal would also apply to moving to  
> OpenID.

Could be. I haven't investigated OpenID. It would depend on how you  
implemented it... it would be possible to implement a secure login  
from the client using HTTPS, using an HTML form submission or an XML  
web services interaction to get a secure token to authenticate with.  
My objections to the proposal are not to the protocol, they're to:

* depending on J. Random Browser being more secure than the client
* creating a persistent login with a scope larger than a single  
instance of the client

If OpenID means that logging in to SL with a client automatically  
drags my browser or another instance of the client into the session,  
or shares my login with that client with 47 flavors of servers run by  
J. Random Ratbag (no offense intended to the many fine rats I know in  
SL), then yes I'd have a problem. Is that the case?

I'm *also* not really excited about having to log in to  
secondlife.com to log in to jira.secondlife.com or  
forums.secondlife.com either, but that kind of scope creep within the  
web seems to be a fait accompli... I'm increasingly finding that some  
J. Random Website recognises my Yahoo or Google identity and I have  
to futz about with multiple browsers to try and at least cut down the  
automagical identity tracking they're officially doing. But at least  
there the security and privacy issues with browsers are already part  
and parcel of the whole interaction, they're not introducing them  
into an environment that doesn't yet have those kinds of problems.

In SL I don't yet have to (unless I choose to) deal with:

* Directed attacks on local client vulnerabilities, because SL itself  
acts as a proxy firewall.
* Attacks through executable content pushed into my computer, because  
the SL client doesn't try and act as a general sandbox for arbitrary  
villainy.
* Attacks through buffer overflows in 101 flavors of file formats and  
commercial plugins.

Oh, I'm not pretending someone couldn't potentially craft a crocked  
image or animation or whatever that exploited a buffer overflow in  
the client, but it's a lot harder with only a few formats to attack  
and with the SIM acting as a firewall... and the client doesn't have  
a built in "Hi! I need you to download and run J. Random Plugin to  
view this page!" mechanism that in SOME browsers can even activate  
automagically without notification if J. Random Plugin is coming from  
J. Random Corporate Intranet Website (or happened to be installed  
from said website for some unrelated reason six months ago and is  
lying around in a system directory like an unexploded bomb).

AND I don't have to deal with:

* J. Random Server cross-checking my IP address and cookies and my  
Google/Yahoo/SL/Whatever login session.

And that's a good thing. SL is not my job, and if SL became my job I  
don't want to HAVE TO carry my job with me when I'm in SL just for  
fun. I know a Linden or two who can empathize with THAT (and even if  
I happen to notice that JRandom Surname acts a lot like JRandom  
Linden that doesn't mean that I'm going to take advantage of it OR  
that JRandom Stranger can look it up on your-lindens-here.w- 
hat.example.com). In the physical world having strangers recognize me  
from the Internet has happened, occasionally, but mostly I can go  
somewhere where everyone knows my name without everyone who knows my  
name anywhere in the world being able to bug me. I can leave my  
cellphone behind, and turn it off. It's hard enough to do that in SL  
as it is, but at least I can log onto SL as NotArgent NotStonecutter  
and NOT be walking around with a tag that says "Hi! Anyone in the  
world is now invited to bug me with questions about work/scripting/ 
whatever".

Larry Niven writes crime and detective stories with an SF background.  
In one of the stories, "A Kind of Murder", Transfer Booths have made  
the real world as tightly connected and easy to navigate as the  
Internet or Second Life, and the results aren't universally good. You  
can get a copy of it from Fictionwise for US$0.69 (that's what, L 
$200?) at http://www.fictionwise.com/eBooks/eBook4548.htm in DRM-free  
format (PDF and half a dozen eBook formats, and the Mobibook version  
can be trivially transcoded back to HTML).

SL has the potential of carrying with it all the problems of Larry  
Niven's transfer booths (without, alas, all the associated  
advantages). So far it's managed to avoid that, but god knows there's  
no end of people who think it'd be really nifty if it did.