02-07-2008 17:14
Ok, I've read a bunch of threads, and alot of different responses and information has been given over the months. I want to securely communicate with my website using HTTP in LSL with PHP and using SSL https encryption. So, I have a few questions still... But first I will list some of the basic ways I might protect the communications:

1. Use SSL - prevents users from sniffing url requests.
2. Maintain ownership of the object and the script. (prevents perm override hack)
3. Use POST instead of GET
3. Check that the headers came from LL - checking IP is the most secure (but could change?)
4. Encrypt the data - Not sure how to encrypt with LSL and decrypt with PHP (base64 ?)
5. Check for owner UUID - this could be hacked I suspect
6. use my own special answer response...

Ok first, about #6. I've done this before and I think it's fairly secure. What do you think? Example: generate a random number say $x = 943857 - then do some crazy math on it - say
$x = ((($x * 71 ) - 3856) * 7 ) - 24397); or something - and then MD5 that. Then you can 'mask' the original number with some letters or other numbers perhaps. Like "58*47-943$857#1385". Then when you send the masked number and the resulting MD5 - you then unmask the number and verify the equation again in your php script and if they match, it's authentic. If you sent this via POST with SSL, it would be encrypted and no one could get the pair of variables. (if you were really paranoid, you could code your database to only allow the original number to be used once) So if it failed, then it could generate a new number and send it again.

Ok, now another question. If you need to retain ownership of the object and the script. how does SLX secure their terminals? I'm not sure but I'm guessing they are owned by other people that place them on their land. Wouldn't their scripts be at risk in that situation?

Thanks for any feedback on these comments and questions!
- Mason