Possible change in logging on to SL

From what I see in the wiki discussion and by skimming the dev thread, it looks to me like anyone who wanted to log in multiple accounts simultaneously would be forced to use a third-party client to do it. A couple of people have noted that this would have the effect of driving a LOT more people to third-party clients, under the assumption that they will find a way to simply circumvent it.

The more I've thot about this the less I like it. Let's say LL acknowledges that it's unacceptable to cripple alts (which they have not yet done), and they try to support simultaneous logins within this scheme. As it happens, I participated in a collab project where we provided SSO (single sign-on, what this is) for a web app that needed to support multiple instances signed-in, and it was a nightmare. We ended up supplying an immense ActiveX plugin and various little pieces of our application to provide windows management and response routing in XP/IE, it took forever to get right, and we just bagged it for Firefox/Safari/Opera. Maybe we did it wrong ... but we did look for other approaches and the people involved were not dim.

*frets*

Sue, it sounds like you may be part of the dev community. Rob Linden has put together a formal critique page for signature at https://wiki.secondlife.com/wiki/Viewer_Authentication_Critique
This is a process I'm not familiar with, so won't participate. There is a link at the top of the critique page to the wiki discussion page to which I contributed. Dev folks may want to take a look.

When this topic came up a while back (something about Open Key or something like that), I asked the question: will this stop bots?

I ask it again. Would this do anything to stop bots?

Thanks for the pointer.

It will be nice to know exactly what shade of blue the deck chairs on the Titanic should be. I am simply flabbergasted that they are setting their sights on login modality because that is obviously one of the more pressing issues in front of them.

I'd post to the wiki but would be embarrased to be associated with that endeavor in any way.

So true ...

Since pretty well every creator has to use a multiple login some of the time for testing purposes, this is a really silly idea. Why can't LL come up with some GOOD ideas for a change, instead of breaking things that were already OK?

one does not need to be savvy to use a modern browser, little lego man.

my bank likes to sniff my browser then complain that i 'upgrade' to ie. its annoying because my browser will function on the site just fine. so i spoof the outgoing headers to fool websites into believing i am running ie there is a plugin available for this purpose at mozilla.org

I seem to have been nominated as "working group chair" for the wiki critique, so it there's any point you want to raise in there which isn't there already, let me know.

I have been keeping an eye on this thread.

Matthew

P.S. Any Pros for synching the viewer logon with the forums et al.? We have all the Cons I think (e.g. cumbersome for those who have alts to make sure it really *is* the main account posting to the forums!), but no one has volunteered any benefits yet!

There may be a good reason for that ...

You are welcome to carry any of my words on the subject (with attribution or not as you wish, even including the "fucking brilliant" if you think it would matter one iota. I recommend you not waste your time.

At the risk of being redundant I think the "Tao of Linden" is to blame.

My best guess about why this has climbed to a critical priority is that (a) someone at LL wants to play with OpenID because they think it would be fun and/or (b) they vaingloriously think that they can re-invent Microsoft Passport and go down in history as being the one web site through which you access all others.

Don`t even try to give llabs that much smarts . Its all about " HEY I THINK IF WE DO THIS" as lindens talk to themselves. Everyone is trying to out do each otehr inthe ranks. Hence all the broken, crasy.EXAMPLE......... Remeber whewn LLABS change PDT to SLT? Then ask why they did this? LLABS lindens said.DA because everyone gets confused bla bla bla........Look now they changed it back to PDT. WHY? because there is always charging ranks inthe linden ego ranks. Shakeshead why do we have to be the Master-betaer users in as you say crack pot ideas? Shakeshead. Then again over these past few year SOME not all lindens could not code themselves out of a 101 C++ class.

first reply.
that is a benefit.

That is in the wiki as the primary reason for this "feature". It has already been rebutted there on the basis that a malware client already has your authenticated session in hand and can do whatever it could do in SL with your password, with the singular exception of not having your password.

Moreover, combined with the commonly used "Administrator" privileges on Windows that SL typically runs under, a rogue client can do anything it wants including key-logging your next secondlife.com web login password. Put another way, a rogue client can hoist itself into as much system privilege as it wants to.

Therefore, this scheme protects against nothing on the primary client platform. It only offers the appearance of security while adding complications for everyone else.

The Mac and Linux could potentially be better served by this feature, but that hardly matters, numerically speaking.

again, the danger isnt so much what the client can do in world. the danger is somebody being able to log into sl website and access payment details and buy lindens and so on.
everything else you list can be done already, even without a new login method.

Matthew, simple question: if Joe Q. Random user wants to run multiple logins from one computer in Windows, what (from a button-pushing perspective) would the user have to do, if using LL's standard SSO client?

And, what do you see most bot users doing? Using an enhanced library that just circumvents this ? (my personal best guess)

It is unclear to me if this is a refutation of or amplification of my point, so I will condense it.

A malware-client can do anything it wants including stealing your SL passwords, wiping your harddrive, or getting Quicken to wire all your funds to a Swiss account.

A malware-calculator can do the same.

Using http based authentication in the presence of malware affords exactly zero protection.

I hope that was more succinct.

As you know if you open the payment details online it erases it off the database. Its a fail safe for possible issues of hackers getting to your real name and account information. I don`t know who said this quote but your wrong.

Usagi

I split the critique into three sections trying to cover what we believe the objectives of the new system are. Namely:

Security - i.e. preventing the need for a third party viewer from seeing the username and password. As such we have noted this as a Pro. On the con side for this, we have noted (amongst other things: a viewer has priveleged access to both your account and computer, that it could do various nefarious things without knowing you username and password, such as buy L$ on your stored credit card, wipe out L$ balances, install other trojans on your computer etc. As such if you don't trust the viewer software enough to give it your user name and password, you shouldn't be running the software anyway; the proposed solution of logging onto SL via a web page is much more prone to phishing (I'd suspect we'd see a how load of e-mails reading "You've received xxx in SL. Please logon to SL via this web page" circulating.

Flexibility - i.e. allowing you to logon to third party web sites via your SL username and password without the third party being privy to your username and password. This is something we feel worth persuing, but this needn't per se affect how the viewer logon works.

Persistence - i.e. logging onto the viewer automatically logs you onto the forums etc. and vice versa.

It is the latter where we have lots of cons particularly if you use alts, but as yet no pros. So it would be useful to know from anyone who feels strongly that being logged onto the forums automatically when you logon to SL would be useful.

Matthew

This isn't entirely clear (not least of all as the propose approach isn't clear how you pass customised command line options to the client when you start it via the web such as the -multiple option needed for running multiple clients), but I suspect it would work something like this:

1) Go to website.
2) Login as Alt1
3) Click on Start SL which launches the viewer logged in as Alt1
4) Go to website
5) Logoff (keeping viewer running)
6) Login as Alt2
7) Click on Start SL which luanches the viewer logged in as Alt2
Repeat steps 4, 5, 6, 7 as required



Yep, a library which automates the above process feeding inputs to the appropriate webforms.

Nicholaz et al would probably build something similar into their viewer to simplify the process for people running multiple Alts anyway (e.g. presenting a similar interface to the current viewer to the user) - and yes, there is an obvious irony there...

Matthew

Nope sorry no benefit to me. The extra control is worth the few extra keystrokes ... in fact, for me the best solution to forum security would be a separate password for the forums. lol, sorry. That way my SL password (used for website transactions and SL both) would NOT be compromised when I login to the forums, which I do far more often, from many more computers.

I only play SL and do $ transactions from physically secure computers that I control and protect. I use the forums from, well, anywhere.

Currently, if you have access to someone's website login session, you can't actually buy L$: any LindeX transaction prompts you for credentials.

Things you can do:
* charge the credit card by increasing the US$ balance (annoying for the victim, but there's no way for the "hacker" to access those funds) - low/medium risk
* impersonate someone on the forums/support portal - annoying but low risk
* cancel someone's account - annoying but reversable, low risk
* potentially discover enough information to use the reset password link (you're likely to have set home to a sim that you own land on; online friends could answer that part of the reset; and you can check the account history for the last US$ transaction) - medium/high risk?

Cashing out: I've never used that so I don't know if it will prompt you for your credentials again or not.

Any new log-on procedure should at the least be as "secure" as this, and preferably more secure.

It's not just the forums. I have to enter my password every single time I go to JIRA and want to do something else than read an entry, the same for the wiki.

At least the forums are part of the main site login and the cookie only seems to fail every (two?) month or so.

I'm having a hard time figuring whether people's posts are in support of the proposed scheme or show why it should be rejected; that in itself is a trouble as any scheme that is hard to discuss is hard to make sense of, therefore bad.

Problem: Rogue third party client could steal your password
Proposal: Allow an LL controlled website hide password from client
Rejection: Hiding password from rogue client protects nothing

im not so much in favour of this, but i am not opposed to it.
the risks people are mentioning already exist, so no new risks are introduced from what i know of this proposed system. and the option to hide the passwd from the client seems to be a benefit.

That's merely one aspect of something larger though. It should probably be restated to:

Problem: Puters can run (potentially malicous) code

That sounds rather ridiculous, but that is the core issue. It doesn't matter whether it's a third party client or anything else random. Someone can write a rogue freebie sculpty/whatever editor and offer it to the community for free and when it's run it sends the stored password file to the creator, or it installs a keylogger behind the scenes.

IMO the only secure(r) way to log on then what's in place now would be for LL to send everyone a list of one time passwords like banks do (or in my case, the bank actually sent a "calculator" to generate one time access codes).

so should ll tie your login with an ip range? mac addy? hardware id?