[sldev] Client-side scripting is real

[Dzonatas Sol]

Argent Stonecutter wrote:
>
> How do you communicate with that application to tell it to connect to  
> that address to get the string in the first place? That is, how is  
> this string published to the application? If that publication process  
> involves a network connection, why redundantly pass the address over  
> that connection, and open up the possibility of it being further  
> distributed?
>   


You can read the options now available: 
http://wiki.secondlife.com/wiki/User:Dzonatas_Sol/Communicator#Options

If there is another option you think is desirable, then please suggest 
it rather than flippantly stating "ick". When there are web browsers and 
many other applications, like SL, that do send URIs & IP addresses over 
the Internet, I question why in the world would you even start your 
security rant with SNOW-375. If you understand the steps taken in the 
protocol, then why not just merely suggest a different step? That is 
what you didn't do, and I am unable to take you seriously because of that.

1. Localhost is the default
2. Remote connections being denied is the default (i.e. no internet, no 
nothing going over it).
3. The API can be turned on/off completely.
4. Until HTTPS/credentials are used, a mutual HTTP/TCP-socket session is 
use to establish trust.
5. HTTPS/credentials is probably overkill for localhost only, but it is 
still desirable for its flexibility that HTTP/TCP-socket sessions lack.

If something further distributes your private information from inside 
your firewall to somewhere on the internet, then it's your firewall that 
has issues, and its not related to SNOW-375 at all.