[sldev] OpenID vs. current proposal vis a vis security

[Jesse Barnett]

On 9/30/07, Argent Stonecutter <secret.argent at gmail.com> wrote:
>
> I'm *also* not really excited about having to log in to
> secondlife.com to log in to jira.secondlife.com or
> forums.secondlife.com either, but that kind of scope creep within the
> web seems to be a fait accompli... I'm increasingly finding that some
> J. Random Website recognises my Yahoo or Google identity and I have
> to futz about with multiple browsers to try and at least cut down the
> automagical identity tracking they're officially doing. But at least
> there the security and privacy issues with browsers are already part
> and parcel of the whole interaction, they're not introducing them
> into an environment that doesn't yet have those kinds of problems.




This is one more thing that really needs to be looked at seriously while
we are having this discussion. We have to log into the wiki, the forums,
our account web page and our viewer with the exact same name and password.
Four separate places we are vulnerable to people getting access to our
account.
We have already survived the wiki getting hacked and now LL refuses to admit
the reason that bbcode was disabled.

https://my.controlscan.com/threats/details.cgi?id=16280

We are still using VBCode 3.05 in which a vulnerability was discovered on
1/31/05.
So for over a year until bbcode was disabled we were vulnerable to someone
getting our authentication cookies. Yet no one has come out and
said it might be a good idea to change your password AGAIN.

I would much rather keep my viewer and account main page completely separate
from both the forums and the wiki and and any other LL websites.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20070930/a66e0f08/attachment.htm